CAPITAL  STEPS 

A  Washington,  D.C., 
campaign  will  use 
landscape  design  to 
build  hidden  strength 

PAGE  44 

I  SLEAZY  SLEUTHS 

Is  your  company’s 
intellectual  property 
safe  from  spying  eyes? 

PAGE  28 

TRACKING  HACKERS 

How  honeypots  are 
taking  the  sting  out 
of  cyberattacks 

PAGE  59 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


SECURITY 


During  the  construction  of  his  company’s 
striking  new  headquarters,  Genzyme 
CSO  Dave  Kent  brought  security  and 

architecture  together  PAGE  36 


i  by  the 


May  2003  $9.00 
www.csoonline.com 


Advertisement 


The  Time  for  Urgei 


War,  terrorism,  workplace  violence,  sabotage, 
theft .  .  .  the  list  of  security-related  worries 
preoccupying  today’s  executive  seems  to  grow 
each  year.  Who  can  predict  what  looms  on  the  horizon? 
It’s  easy  to  pretend  that  corporations  cannot  shield 
themselves  from  these  threats.  Publicized  tragedies 
heighten  vigilance:  anthrax  made  people  think  twice 
about  opening  parcels,  workplace  shootings  led  to  new 
focus  on  disgruntled  employees,  and  the  September  1 1 
attacks  united  the  nation  in  a  fight  against  terrorism. 
Unfortunately,  complacency  seems  always  to  return 
with  time. 

Do  you  compromise  on  security  when  it  comes 
to  protecting  your  family?  Experts  know  that  the  more 
you  do,  the  safer  you  are.  Workplace  security  is  no 
different;  only  the  stakes  are  much  greater.  A  large 
corporation  is  like  an  extended  family  living  in  a  huge 
neighborhood:  the  chance  of  something  going  wrong 
somewhere  increases  with  scale  and  there  are  more 
lives  and  livelihoods  at  risk. 

Not  all  organizations  think  about  security  in 
terms  of  its  total  cost — at  their  peril.  Some  corporate 
budgets  measure  the  dollars  spent  on  security  personnel 
and  equipment  but  ignore  the  costs  of  crime  and  terror — 
the  human  tragedy,  the  liability  expenses,  the  legal 
fees,  the  public  relations  and  crisis  management  costs, 
the  increased  insurance  premiums,  the  lost  revenue 
from  business  interruption,  the  shaken  confidence  of 
customers  and  shareholders,  the  devastation  in  employee 
morale.  Consider  one  example:  A  terminated  employee, 
heavily  armed,  gains  unauthorized  entry  past  a  new  and 
inexperienced  security  officer.  A  single  mistake,  and 
several  minutes  later,  lives  are  lost.  Just  one  such  tragic 
incident  can  jeopardize  the  future  survival  of  an  entire 
organization. 

When  companies  view  security  services  as  a 
commodity,  that  is  what  they  get.  Some  purchasing 
departments  often  only  look  at  the  unit  cost,  selecting 
the  lowest  bidder.  Many  service  providers  then  compete 
by  minimizing  their  investment  in  wages,  training  and 
employee  screening.  Transient  hourly  employees  treat 
their  jobs  in  a  perfunctory  way.  With  limited  authority, 
security  managers  cannot  invest  in  quality  or  innovation. 
And  yet  if  a  serious  incident  occurs,  they  take  the  blame 
for  failing  to  bring  in  a  quality  provider.  This  vicious 
circle  detracts  from  buying  the  necessary  value  and 
focusing  on  what  truly  counts  in  security — results. 

Being  serious  about  security  is  not  just  about 
employing  more  security  ojficers  or  buying  more 
technological  equipment.  It  is  about  approaching 
security  in  a  different,  smarter  way.  It  is  about  knowing 
the  backgrounds  of  one’s  employees  and  on-site  con¬ 
tractors.  It  is  about  ensuring  that  the  one  person 
accountable  for  security  also  purchases  security.  It  is 
about  considering  the  realm  of  possible  threats  and 


developing  proactive  solutions.  It  is  about  forming 
vendor  partnerships  to  give  others  a  stake  in  ensuring  that 
all  that  can  be  done  is  done.  It  is  about  a  commitment 
to  total  quality. 

No  entity  can  be  entirely  immune  from  crime  and 
terrorism.  When  organizations  commit  time  and  resources 
to  an  urgent  focus  on  security,  however,  they  can 
minimize  risk  and  create  tangible  value.  A  thoughtful 
security  infrastructure  supported  by  dedicated,  energetic 
employees  offers  a  shield  against  attack  and  often  sur¬ 
passes  the  traditional  call  of  duty:  responding  to  an 
accident  on  the  shop  floor  and  saving  an  employee’s 
life  or  detecting  a  mechanical  malfunction  that  could 
lead  to  a  plant  shutdown.  A  strong  security  program 
also  acts  as  a  deterrent.  According  to  reports  published 
in  a  leading  national  newspaper,  a  murderous  terrorist 
cased  a  sensitive  public  facility  in  California  and  found 
the  Guardsmark  security  to  be  so  tight  that  he  selected 
different  targets,  shooting  six  people  and  killing  one. 
The  wounded  included  three  children. 

When  we  founded  our  company  in  1963,  we  saw 
an  industry  that  failed  to  focus  on  total  quality.  We 
sought  to  fill  a  market  void  by  offering  higher  pay  to 
employ  and  retain  better  people — offering  a  career, 
not  a  job.  To  support  these  professionals,  we  built  an 
unmatched  management  team  composed  of  former  FBI 
and  Secret  Service  officials,  military  officers,  and 
leaders  of  law  enforcement  agencies,  creating  a  unique 
think  tank  for  a  broad  spectrum  of  security-related  issues. 

Whatever  concerns  our  clients  face — from  rou¬ 
tine  loss  prevention  investigations  to  dealing  with 
kidnappings  and  assassinations  in  distant  lands — our 
men  and  women  stand  ready  with  the  wisdom  of 
experience,  the  ability  to  manage  uncertainty,  and  an 
intricate  network  of  valuable  relationships.  These  cri¬ 
sis-resolution  skills  give  our  clients  the  confidence  that 
their  security  provider  can  respond  to  any  emergency 
anywhere  at  a  moment’s  notice. 

Never  before  has  confidence  in  security  been 
more  critical.  Homeland  security  has  emerged  as  an 
unprecedented  concern.  The  United  States  of  America 
is  engaged  in  a  war  against  terrorists  who  want  to  attack 
Americans  at  home,  and  the  nation  must  take  immediate 
action  to  correct  its  greatest  vulnerabilities.  Unfortunately, 
some  institutions  and  organizations  have  failed  to 
demonstrate  sufficient  urgency,  focus  and  attention  to 
safeguarding  against  the  heightened  risk  facing  the 
entire  nation.  The  threat  is  not  restricted  to  high-profile 
cities  such  as  New  York  and  Washington,  D.C.;  in  fact, 
tighter  security  measures  in  those  municipalities  may 
convince  the  enemy  to  seek  softer  targets  in  less-prepared 
areas  of  the  country. 

Increasing  emergency  preparedness  is  essential  to 
minimizing  casualties.  The  ability  of  the  United  States 
to  strike  back  with  swift,  devastating  force  does  not 


cy  Is  Now 


deter  agents  of  terror.  Consequently,  local  governments 
must  receive  assistance  to  prepare  for  attack  and  to 
improve  the  technological  capabilities  of  our 
emergency  response  agencies.  Similarly,  every 
organization  must  not  only  strengthen  its 
defenses  to  prevent  an  attack,  but  it  must 
also  prepare  to  manage  the  aftermath  of  a 
successful  assault  by  training  on-site  emer¬ 
gency  responders  and  developing  partner¬ 
ships  with  firefighters,  police  and  medical 
professionals.  Securing  a  facility  so  that  an 
attack  will  either  fail  outright  or  produce 
minimally  disruptive  consequences  at 
best  will  significantly  decrease  the  likeli¬ 
hood  of  a  future  strike. 

The  world  has  changed. 

Complacency  has  never  been  wise,  but 
at  this  time  of  increasing  uncertainty, 
it  has  become  outright  dangerous  and 
irresponsible.  At  Guardsmark,  we 
realize  that  each  of  our  employees  is 
the  critical  ingredient  in  securing  some 
facility  somewhere.  Who  that  person  is, 
what  that  person  thinks  and  how  that  per¬ 
son  reacts  may  make  the  difference 
between  calm  and  calamity.  That  is  why 
we  are  committed  to  excellence  in  man¬ 
agement,  to  continuous  innovation,  to 
organizational  ethics  and  diversity,  and  to 
an  unyielding  focus  on  the  customer.  It  all  has 
to  do  with  being  serious  about  security.  That  is 
our  mission.  And  we  believe  that  is  the  mission 
that  you  need.  The  time  for  urgency  is  now. 


10  Rockefeller  Plaza,  New  York,  New  York  10020 
212  765-8226  or  800  238-5878  www.guardsmark.com 


The  company  that  pioneered  enterprise 
security  just  revolutionized  it. 


Symantec  Integrated  Security 

Integrated 

Integrated 

Gateway  Security 

Client  Security 

Intrusion  Detection 

Intrusion  Detection 

Firewall/VPN 

Firewall 

Content  Filtering 

Virus  Protection 

Virus  Protection 

Management 

Management 

Introducing  the  secure  enterprise.  Before  the  Internet,  before 
laptops,  before  e-anything,  Symantec™  was  protecting  companies 
from  virus  attacks  and  malicious  code.  But  today's  world  is  radically 

different.  Threats  have 
become  more  complex, 
dangerous  and  costly; 
and  security  that 
was  once  considered 
adequate  is  now  rightly 
seen  as  incomplete 
and  vulnerable.  Now 
a  revolutionary  solution  has  arrived.  Symantec  Integrated  Security 
is  comprehensive  security  that  protects  your  entire  enterprise. 
Every  element  is  designed  to  work  together  as  a  seamless  and 
unified  system.  The  result  is  more  efficient  management,  quicker 
response  to  new  threats  and,  ultimately,  better  protection  for  your 
whole  company — from  your  gateway  with  Symantec ™  Gateway 
Security,  to  your  clients  with  Symantec™  Client  Security.  It's  a  new 
way  to  understand  and  create  the  truly  secure  enterprise.  Join  the 
revolution.  Visit  http://ses.symantec.com/USB000A8VDl  or  call 
800-/45-6054  for  our  free  White  Paper,  “ Integrated  Security: 
Creating  the  Secure  Enterprise 


Symantec, 


be  the  ugl&j 
little  tugboat 


fc 


. 


>;•*»•••••  s 


that  turns  the 


Queen  Mary, 


DAVE  KENT,  CSO  OF  GENZYME 


PAGE  36 


■  i 


Hi 


24  Someone  to  Watch  Over  You 

SECURITY  COUNSEL  ©Stake  CTO  Dan  Geer  answers 
readers’  questions  about  information  technology  risks. 

26  Will  Hack  for  Food 

FLASHPOINT  In  this  tough  job  market,  underemployed 
young  techies  pose  a  serious  security  threat. 

By  David  H.  Holtzman 

64  The  Positive  Value  of  a 
Power  Lunch 

CSO  UNDERCOVER  As  your  company’s  security  executive, 
are  you  at  the  table  with  the  other  business  leaders? 


28  Snooping,  by  Hook  or  by  Crook 

INTELLECTUAL  PROPERTY  Corporate  spies  come  in 
many  guises,  but  they  all  have  one  thing  in  common: 
They  want  to  use  your  company’s  secrets  for  competi¬ 
tive  gain.  This  is  a  five-step  guide  to  how  they  operate. 
By  Sarah  D.  Scalet 


DEPARTMENTS 

13  Briefing 

Ready,  set,  board! ;  It’s  the  least  you  can  do;  Let’s  get 
physical;  Rethinking  state  lines;  A  penny  for  your  stock. 


Cover  photo  by 
Jason  Grow 


36  cover  story  The  Architect 

SECURITY  BY  DESIGN  Imagine  being  able  to  layer  secu¬ 
rity  into  your  building  the  way  you  do  the  plumbing  or 
wiring.  Genzyme’s  Dave  Kent  doesn’t  have  to  imagine 
it— he  got  to  do  it.  By  Scott  Berinato 

44  Hidden  Strengths 

SECURITY  BY  DESIGN  Does  security  have  to  be  as  ugly 
as  a  jersey  barrier?  Or  can  it  be  both  effective  and 
attractive?  Planners  in  the  nation’s  capital  are  putting 
well-designed  security  to  the  test.  By  Daintry  Duffy 

50  When  Bad  Things  Happen 
to  Good  Companies 

CYBERINCIDENT  RESPONSE  If  you  don’t  have  a  clear 
response  plan  in  place,  you  risk  losing  millions  of 
dollars.  By  Simone  Kaplan 


IN  EVERY  ISSUE  6  CSOonline.com 


22  Wonk 


Homeland  melting  pot:  The  government  consolidated 
several  agencies  under  the  umbrella  of  homeland 
security,  a  move  some  fear  will  be  less  than 


smooth.  By  Jidie  Hanson 


59  Machine  Shop 

Honeypots  and  honeynets  can 
take  the  sting  out  of  hacker 
attacks.  By  Simson  Garfinkel 
TOOLBOX:  Chemical  and 
biological  detectors 


68  Debriefing 

I’ll  take  “Big  Brother” 
for  $100. 


8  Letter  from  the  Editor  10  Advisers 


4  www.csoonline.com  May  2003 


©  Robert  Half  Technology.  EOE 


A  Robert  Half  International  Company 


Network  Security  Engineers  are  a  phone  call  away. 

To  keep  your  business  competitive,  you  need  the  right  IT  talent  at  just  the  right  time. 

With  more  than  100  locations  worldwide,  Robert  Half  Technology  is  a  leading  provider  of: 

•  Network  Security  Engineers  •  Network  Administrators 

•  Programmers  •  Database  Administrators 

•  Web  Developers  •  And  other  Technology  Professionals 

•  Help  Desk  Professionals 

With  our  exceptional  connections  to  the  best  technology  talent  available,  well  do  more  than  provide 
cost-effective  solutions  to  your  needs  -  well  do  it  exactly  when  you  need  it. 

Call  today! 


800.793.5533  roberthalftechnology.com 


I 

RH 


ROBERT  HALF® 

TECHNOLOGY 

Information  Technology  Professionals  SM 


High-speed  Acce 
tci  High-spe 


..  yfj; 


%  ; 


wel 

csoo 


5  ' 


Sri 


&  w. m 


Security 
Counsel 

Tracy  Lenzner  is 
president  and 
founder  of  the 
LenznerGroup,  an 
executive  search 
consultancy  that 
specializes  in  IS  and  security  investigation. 
Lenzner  has  successfully  placed  CSOs  and 
other  key  leadership  positions  for  major 
Fortune  500  organizations.  Visit  SECU¬ 
RITY  COUNSEL  to  post  a  question  about 
how  to  land  a  position  as  a  CSO. 
www.csoonline.com/counsel 

CSO  Research  Centers 

Visit  CSOonline’s  RESEARCH  CENTERS  to 
find  archived  articles  from  CSO  and  its  sister 
publications,  webcasts,  interviews  and  links 
to  relevant  sources.  Our  editors  update  the 
research  centers  frequently,  so  visit  often. 
www.csoonline.com/research 

Security  A  to  Z 

You  can’t  communicate  the  value  of  secu¬ 
rity  unless  you  know  what  you’re  talking 
about.  From  “abuse  of  privilege”  to  “white- 
hat  hacker,”  CSOonline’s  GLOSSARY  has 
got  you  covered.  You’ll  be  speaking  (and 
understanding)  the  industry  lingo  in  no 
time,  www.csoonline.com/glossary 

Free  Newsletters 

CSO  newsletters  delivered  right  to  your 
inbox— for  free.  CSO  UPDATE  highlights 
CSOonline’s  most  recent  content.  CSO 
WANTED  UPDATE  alerts  you  to  the 
latest  security-related  job  openings  in 
our  database.  It  takes  only  a  few  seconds 
to  subscribe. 

www.csoonline.com/newsletters 


c.com 


Daily  Dose  of  CSO 

Visiting  CSOonline  every  day  won’t  neces¬ 
sarily  keep  the  hackers  away,  but  it  can’t 
hurt,  right?  Here’s  a  rundown  of  the  fresh 
content  you’ll  find  each  weekday: 

MONDAY 

TALK  BACK  How  do  you  get  out  the  secu¬ 
rity  message  in  belt-tightening  times?  Visit 
each  week  to  share  your  opinions  on  this 
and  other  controversial  security  topics. 

www.csoonline.com/talkback 

TUESDAY 

SECURITY  CHECK  Quick  and  easy.  Vote 
in  our  weekly  security  poll.  You  may  also 
check  the  results  of  previous  polls,  such  as 
“Do  you  think  Microsoft’s  security  initiative 
has  made  progress  over  the  past  year?” 
More  than  half  of  respondents  said 
Microsoft  has  made  modest  progress. 
www.csoonline.com/poll 

WEDNESDAY 

ANALYST  REPORTS  We’ve  gathered 
research  and  analysis  from  respected 
sources  and  put  all  of  it  into  one  conven¬ 
ient  package.  In  a  recent  report,  Gartner 
explains  how  the  SQL  Slammer  exposed 
the  vulnerabilities  of  desktop  servers  in  the 
enterprise,  www.csoonline.com/analyst 

THURSDAY 

METRICS  Did  you  know  that  42  percent 
of  consumers  believe  businesses  handle 
personal  information  in  a  proper  and  confi¬ 
dential  way?  Visit  each  week  for  the  statis¬ 
tics  that  matter  for  security  professionals. 
www.csoonline.com/metrics 

FRIDAY 

POLITICS  &  POLICY  Read  our  weekly 
recap  of  action  on  the  Hill.  Get  the  full  text 
of  bills  before  the  House  and  Senate,  and 
blurbs  about  other  legislative  activity- 
inside  the  Beltway  and  out. 
www.csoonline.com/politics 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


President  Walter  Manninen 
Group  Publisher  Gary  J.  Beach 
Publisher  Bob  Bragdon 

EDITORIAL 

Editor  in  Chief  Lew  McCreary 
Executive  Editor  Derek  Slater 
Managing  Editor  Elaine  M.  Cummings 
Managing  Editor,  Production  Cheryl  R.  Asselin 
Senior  Editors  Scott  Berinato,  Daintry  Duffy 
Research  Editor  Lorraine  Cosgrove  Ware 
Senior  Writer  Sarah  D.  Scalet 
Staff  Writer  Simone  Kaplan 
Copy  Chief  Tom  Wailgum 
Asst.  Managing  Editor,  Production  Kathleen  S.  Carr 

Copy  Editors  Kelli  A.  Gauthier  (Assoc.), 

Emily  S.  Henderson,  Sarah  Johnson  (Assoc.) 

Special  Projects  Manager  Lynne  Z.  Rigolini 
Editorial  Resource  Manager  Carol  Zarrow 
Editorial  Assistants  Daniel  J.  Horgan,  Joe  Sullivan 

Contributors  David  H.  Holtzman,  Dan  Geer, 
Simson  Garfinkel,  Paul  Roberts 

Editorial  Operations  Specialist  Julie  Hanson 

DESIGN 

Executive  Director,  Art  and  Design  Mary  Lester 
Art  Director  Steve  Traynor 
Senior  Designer  Chandra  Tallman 
Design  Operations  Specialist  Rachel  Barnett 

WEBSITE 

Senior  VP/General  Manager,  Online  Tim  Horgan 
Web  Editorial  Director  Art  Jahnke 
Executive  Web  Editor  Martha  Heller 
Web  Editor  Sandy  Kendall 
Web  Writer  Jon  Surmacz 
Online  Technology  Director  Dagmar  Eiben 
Senior  Web  Developer  Ellen  Morey 
Director  of  Online  Research  Kathleen  Kotwica 
Audience  Development  Manager  Andrew  Burrell 
Web  Developers  Diane  Chen,  Shannon  Macdonald 
Online  Content  Researcher  Tara  Gillet-Liloia 
Designer  Graham  White 


Founder  Joseph  L.  Levy 

INTERNATIONAL  DATA  GROUP 

Board  Chairman  Patrick  J.  McGovern 
CEO  Pat  Kenealy 

BPA  INTERNATIONAL  MEMBERSHIP 

Applied  for  August  2002 
©  CXO  Media  Inc. 


6  www.csoonline.com  May  2003 


I 


INTRODUCING  REALSECURE 
NETWORK  7.0. 


RELEASED  JUST  AHEAD  OF 
EVIL  THREAT  6.8. 


Dynamic  Threat  Protection.  The  most  complete  protection  available.  Leading  edge  detection,  prevention 

and  response  that  stops  the  bad  guys  cold.  That’s  RealSecure®  Network  7.0.  Our  solution  offers  the  most  accurate  protection  at 


network  speeds  without  slowing  you  down.  Plus,  our  SiteProtector"  centralized  management  system  makes  protecting  a  large  network 
as  simple  as  the  click  of  a  mouse.  Or,  let  us  do  it  for  you  with  our  24/7  Managed  Protection  Services.  Keep  evil  one  step  behind.  Find 
out  why  RealSecure  is  the  market  share  leader,  visit  www.iss.net/iss-cso  or  call  us  at  800-776-2362. 


RealSecure  Network  7.0 

•  Unified  protocol  analysis  and  pattern  matching  -  that  works 

•  Analyzes  95  network  protocols  -  catching  even  unknown  attacks 

•  Nonstop  protection  at  network  speeds  up  to  IGbps 

•  Backed  by  X-Force,"  the  world’s  #7  security  intelligence  team 


Internet 

Security 


I’m  in  an  Armored  State  of  Mind 


In  my  role  as  editor  of  this  magazine,  I  was  interviewed 
by  A1  and  Stacy  a  couple  of  weeks  ago.  A1  and  Stacy  host 
a  morning  drive-time  talk  radio  show  in  Charlotte,  N.C. 


The  topic,  in  a  fairly  general  way,  was  security.  Al  asked  me  about  CSOs  and 
what  they  do.  Then  Stacy  mentioned  that  she’d  recently  seen  an  ad  for  an 
armored  car.  And  what  did  I  make  of  that? 

“Well,”  I  said,  in  a  slightly-too-snarky  way,  “urban  assault  vehicles  have  been 
growing  in  popularity  for  a  long  time  now.  But  I  think  their  value  is  more  psy¬ 
chological  than  actual.” 

“You  mean  they  don’t  work?”  said  Stacy. 

“Well,  I  don’t  know.  I’ve  never  driven  one....” 

At  which  point  I  backtracked,  thinking  that  a  discussion  of  armored  vehicles 
was  taking  me  way  out  of  my  depth. 

What  I  wish  I’d  said— what  I  should  have  said— was  that  part  of  the  essential 
skill  set  of  a  CSO  is  to  know  when  an  armored  car  is  a  good  security  investment, 
as  opposed  to  a  big  fat,  bulletproof  waste  of  money.  You  can  go  out  and  buy  a 
lot  of  security,  but  it’s  also  easy  to  overbuy  against  some  highly  unlikely  risks.  So 
maybe  a  bulletproof  car  and  a  well-trained  driver  make  a  great  investment  in 
some  kidnap-happy  equatorial  nation.  But  in  White  Plains  or  Cleveland 
Heights  or  Alpharetta?  Maybe  not  so  great. 

Nonetheless,  after  Al  and  Stacy  ditched  me  I  got  to  thinking  about  security 
as  a  state  of  mind.  Is  there  quantifiable  ROI  in  spending  money  to  make  people 
feel  safe,  as  opposed  to  actually  being  safe?  How  much  of  the  visible  security  in 
the  world  is  real  rather  than  psychological?  To  be  fully  effective,  should  security 
be  visible  or  invisible?  Do  bollards,  jersey  barriers  and  impromptu  guard  posts 
on  the  streets  of  Washington  (to  say  nothing  of  the  rocket  launcher  adorning 
the  grounds  of  the  Washington  Monument)  add  substantively  or  only  perceptu¬ 
ally  to  the  sense  of  security  a  citizen  feels?  Should  security  be  made  to  blend  in 


better  aesthetically?  (See  “Hidden  Strengths,”  Page  44, 
Senior  Editor  Daintry  Duffy’s  story  about  efforts  to 
make  the  nation’s  capital  safer  in  more  attractive,  less 
noticeable  ways.)  Or  should  it  be  impressively  obvious? 

Pundits  have  observed  that  America  is  an  exception¬ 
ally  fearful  place  post-9/H.  But  the  trend  toward  a 
siege  mentality  has  been  in  motion  for  far  longer  than 
that.  As  the  rate  of  violent  crime  has  fallen  sharply  over 
the  past  two  decades,  the  average  American’s  sense  of 
vulnerability  to  crime  has  soared.  And  what’s  with 
that?  The  popularity  of  SUVs  is  partly  based  on  a 
yearning  for  protection  from  the  natural  and  man¬ 
made  menaces  that  run  riot  outside  of  the  passenger 
compartment.  Advertising  campaigns  have  often 
focused  on  the  slew  of  freak  dangers  one  avoids  or  sur¬ 
mounts  by  driving  around  in  a  four-wheeled  fortress. 

The  relationship  between  actual  and  perceived  risks 
can  be  tenuous,  and  buying  an  armored  vehicle  may,  in 
the  end,  amount  to  treating  an  imaginary  illness.  Still, 
we  wonder  whether  there  may  be  some  merit  to  the 
idea  that  investments  in  simply  feeling  safer  should 
have  a  place  among  the  priorities  of  CSOs.  The  chal¬ 
lenge,  as  always,  will  be  to  find  metrics  that  can  put  a 
value  on  soothed  anxieties. 

Let  us  know  what  you  think. 

-Lew  McCreary 
mccreary@  coco,  com 


8  www.csoonline.com  May  2003 


PHOTO  BY  WEBB  CHAPPELL 


:'y 


CCTP  would  have  made  his  life  much  easier  CCTP,  engineered  by  Anixter,  is: 

•  The  only  open  architecture,  standards-based, 
structured  video  surveillance  solution 

•  30%  less  expensive  than  traditional 
CC7V  systems 

•  Video,  Power  and  Control  over  one  optimized 
UTP  cable 

•  Able  to  handle  existing  analog  technology 

•  Ready  for  the  IP  surveillance  future 

»CCTP  products  exclusively  manufactured  for  Anixter  by  Belden  and  Siemon. 


Introducing 

OCCTP 

video  surveillance  for  the  digital  age 


Want  to  know  more? 

Simply  go  to  anixter.com/CCTP 

or  call  1-800-ANIXTER. 

‘Winner  of  the  "Best  New  Technology"  Award  at  the  Federal  Office  Systems  Expo  (FOSE) 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


CSO  wishes  to  thank  the  following  individuals  for  serving  as 
our  editorial  Board  of  Advisers,  supplying  their  expertise  and 
guidance  to  CSO’ s  editors  * 


CHRIS  CHRISTIANSEN 

Program  Vice  President,  eBusiness 
Infrastructure  and  Security  Software,  IDC 

STEPHEN  E.  CROSS 

Director  and  CEO 
Software  Engineering  Institute  and 
CERT  Coordination  Center 
Carnegie  Mellon  University 

DAVID  CULLINANE 

CISO,  Washington  Mutual 
President,  Information  Systems 
Security  Association 

DOROTHY  DENNING 

Professor 

Department  of  Defense  Analysis 
Naval  Postgraduate  School 

DANIEL  E.  GEER  JR. 

CTO,  @Stake 

DAVID  M.  HAGER 

Vice  President,  Network  Security 
and  Disaster  Recoveiy 
OppenheimerFunds 


JOHN  HARTMANN 

Former  Vice  President  of  Security  and 
Corporate  Services,  Cardinal  Health 

STEVE  KATZ 

President,  Security  Risk  Solutions 

MICKI  KRAUSE 

CISO,  Pacific  Life  Insurance 

BRUCE  SCHNEIER 

CTO,  Counterpane  Internet  Security 

JOHN  TRITAK 

Former  Director 

Critical  Infrastructure  Assurance  Office 

KRIZI  TRIVISANI 

Information  Security  Officer 
The  George  Washington  University 

JAMES  WADE 

CISO,  KeyCorp 
President,  (ISC)2 

ROBERT  WEAVER 

Assistant  Special  Agent  in  Charge 
Secret  Service  Electronic  Crimes  Task  Force 
New  York  City 


How  to  Reach  Us 

E-MAIL 

csoletters@cxo.com 

PHONE 

508  872-0080 

FAX 

508  879-7784 

ADDRESS 

CSO  Magazine 

492  Old  Connecticut  Path,  P.0.  Box  9208 
Framingham,  MA  01701-9208 

SUBSCRIBER  SERVICES 

Phone:  866  354-1125 

Fax:  847  564-9002 
E-mail:  cso@omeda.com 

REPRINTS 

Reprints  are  available  by  calling  Reprint  Services 
at  651  582-3834,  or  via  e-mail  at 
csoreprints@reprintservices.com. 

ABOUT  IDG  International  Data  Group  (IDG),  the 
leading  global  provider  of  IT  media,  research, 
conferences  and  events,  informs  more  people 
about  technology  than  any  other  company  in  the 
world,  Offering  the  widest  range  of  media  options, 
IDG  reaches  more  than  120  million  technology 
buyers  in  85  countries  representing  95  percent  of 
worldwide  IT  spending.  IDG  publishes  more  than 
300  newspapers  and  magazines  in  85  countries, 
led  by  the  Computerworld,  Infoworld,  Macworld, 
Network  World,  PC  World  and  CIO  global  prod¬ 
uct  lines,  IDG  offers  online  users  the  largest  net¬ 
work  of  technology-specific  sites  around  the 
world  through  IDG.net  ( www.idg.net ),  a  gateway 
to  IDG's  330  websites  powered  by  more  than 
2,000  journalists  reporting  from  every  continent 
in  the  world.  IDG  also  produces  168  technology- 
related  conferences  and  events,  and  research 
company  IDC  provides  global  market  intelligence, 
analysis  and  forecasts  in  43  countries. 


*The  advisers'  participation  does  not  imply  an  endorsement  of  the  magazine's  contents  or  opinions. 


“No  doubt  there  will  come  a  time 
when  incident  response  will  be 
part  of  the  mandatory  professional 
skill  set  of  security  professionals.” 

-DAN  GEER,  CTO,  @ STAKE 
(SEE  “SOMEONE  TO  WATCH  OVER  YOU,”  PAGE  24) 


10  www.csoonline.com  May  2003 


PHOTO  BY  FURNALD/GRAY 


With  neuSECURE™,  industry-leading  software 
from  GuardedNet,  you  can  transform  those 
mountains  of  raw  security  event  data  into  what 
you  really  need  -  knowledge  to  help  you  manage 
your  organization’s  security  posture. 


nCIlSECURE:::  threat  management  process 


Knowledge 


neuSECURE  is  a  central  monitoring  system  for  log 
aggregation,  event  correlation,  threat  analysis, 
threat  response  and  forensic  investigation  of 
security  event  data  from 

and  routers.  neuSECURE 

attack  detection  and 
response,  and  generates  a  wide  range  of 
reporting  options  for  operations,  management 
and  audit  compliance. 


For  a  free  white  paper  on  improving  your  security 
data  relevancy,  call  1-888-599-8297  or  visit 
www.guarded.net/logdataoverload.htmi 


Firewalls 

IDS 

Routers 

Op  Systems 

Applications 

Others 

" Our  sights  are  set  on  corporate 
growth.  We  need  to  move  fast 
to  stay  competitive. 

My  IT  department  can  barely  keep 
their  heads  above  water  with  the 
day  to  day  issues,  let  alone  have 
time  to  research  new  system  options. 

I'm  willing  to  invest  in  the  education 
of  today's  technology  if  the  return 
improves  our  productivity  and 
bottom  line  results. " 


The  Information  and  Communications  Technology  (ICT) 
Conference  and  Tradeshow  -  strictly  business  to  business. 


CeBIT  America's  3 -day,  enterprise  only  Conference  and 
Tradeshow  provide  direct  access  to  the  world's  systems,  applications, 
communications  and  networking  leaders,  in  one  place,  at  one  time. 

If  you're  charged  with  integrating  technologies  and  applications  to 
meet  your  organization's  business  objectives,  then  we'll  see  you  at 
CeBIT  America  -  Where  the  World  Turns  for  ICT  Solutions. 


June  18-20,  2003 

.  * 

Jacob  K.  Javits  Center 
New  York  City 

MSm *4sjlap 
■;  ■ '  '*v 


Register  Now!  Visit  www.cebit-america.com/info27  to  register  with  priority 
code  MAK3  and  view  our  online  brochure,  or  give  us  a  call,  212-465-0531. 


-Mm. 


...i  •;  '-v 

Some  of  our  participating  partners:  Builder.com  •  Business  Council  for  the  United  Nations  •  CNET  News.com  •  Computerworld  •  Gartner  • 
SpiV  '  Information  Technology  Association  of  America  •  MultiMeteor  •  Network  World  •  New  York  eComm  •  Novell  Best  of  BrainShare  • 

Oracle  •  Tech  Corps  •  TechRepublic  •  Wall  Street  Journal  •  Wall  Street  Technology  Association  •  ZDNet 


mm'd- 

tv. 


News,  Stats  and  Fast  Facts 

Edited  by  Kathleen  Carr  and  Daintry  Duffy 


Ready. ..  Set. ..  Board ! 


REGULATIONS  Green  means  go,  yel¬ 
low,  take  pause,  and  red,  stop.  According  to 
some,  what’s  good  for  traffic  is  also  good  for 
travel.  Computer  Assisted  Passenger  Pre¬ 
screening  II  (Capps  II)  is  technology  meant 
to  improve  current  airline  passenger  screen¬ 
ing  methods.  It  received  $35  million  last 
year,  is  due  to  receive  $35  million  more  in 
FY04,  and  the  Transportation  Security 
Administration  (TSA)  plans  to  start  testing 
the  system  soon. 


IT’S  THE  LEAST  YOU  CAN  DO 

CYBERSECURITY  Hacking  has  gone  global.  The 
National  Infrastructure  Protection  Center  recommends  the 
following  measures  to  combat  the  increase  in  attacks  to  your 
network.  Although  these  actions  may  seem  basic,  they  are 
effective  and  are  not  yet  in  place  at  most  companies. 

Increase  user  awareness 

Update  antivirus  software 

Stop  potentially  hostile  and  suspicious  attachments  at 
the  e-mail  server 

l ^  Use  filtering  to  maximize  security 

Establish  policies  and  procedures  to  respond  to  and 
recover  from  a  hack 

SOURCE:  WWW. NIPC.GOV 


The  system  will  collect  informa¬ 
tion  in  government  and  commercial 
databases,  and  look  for  a  pattern  of 
purchases  and  activity  that  indicate  a 
traveler  is  a  threat  to  security.  It’s 
like  an  instant  credit  check  that 
scores  how  “terroristic”  you  seem. 
Passengers  will  be  rated  Green  (free 
to  go  and  subject  to  the  normal  secu¬ 
rity  checks  that  have  been  going  on  before 
and  since  9/11),  Yellow  (held  back  for  more 
intense  screening  and  questioning),  and 
Red  (not  allowed  to  fly). 

Once  a  passenger  is  rated,  the  TSA 
says  Capps  II  purges  the  gathered  data. 
The  next  time  you  buy  a  ticket,  the 
process  begins  all  over  again.  Privacy 
advocates  want  more  proof  that  data  isn’t 
warehoused. 

The  TSA  and  its  partners  in  this  effort, 
Delta  Air  Lines,  IBM  and  Lockheed  Martin, 
didn’t  expect  the  upheaval  that  Capps  II 
has  created.  They  were  trying  to  improve 
current  technology  (Capps  I)  by  reducing 
false  positives  and  honing  the  threat  pro¬ 
file.  But  privacy  advocates,  including  the 
Electronic  Privacy  Information  Center, 
contend  that  Capps  II  invades  privacy 
and  flouts  constitutional  rights.  They 
have  flooded  the  TSA  with  complaints. 


CSO  SECURITY  CHECK 


How  did  your  company  deal  with  its 
perimeter  security  post-9/11? 


44% 

Didn’t 
enough 


Added 
appropriate 
protection 


Almost  half  of  you  said  that  your  company  did  not  add 
enough  security  protection  post-9/11.  You  can  learn  from 
Washington.  Read  Senior  Editor  Daintry  Duffy's  feature, 
“Hidden  Strengths,”  on  Page  44. 


Is  Capps  II  the  Orwellian  nightmare  of 
background  checks  and  personal  data  col¬ 
lection  some  have  made  it  out  to  be?  It’s  dif¬ 
ficult  to  say  because,  even  as  the  TSA  gets 
set  to  test  the  system,  the  agency  has  been 
remarkably  evasive.  Where  privacy  groups 
see  a  threat  to  civil  liberties,  the  TSA  sees 
convenience— letting  most  of  us  breeze 
through  security  instead  of  dealing  with  the 
secondary  checks  and  de-shoeings.  Some 
supporters  even  hope  the  technology  could 
lead  to  a  program  that  lets  preregistered 
travelers  speed  through  a  fast  lane  at  airport 
security  checkpoints. 

Capps  II  is  in  its  early  stages  and  ques¬ 
tions  loom  about  the  cost  of  the  program 
and  whether  it  will  truly  deter  terrorism.  And 
it  looks  like  privacy  groups  aren’t  likely  to 
give  up  their  fight  any  time  soon.  For  now, 
keep  wearing  your  good  socks  to  the  airport. 

-Scott  Berinato 


ILLUSTRATIONS  BY  PAUL  HOWALT 


May  2003  www.csoonline.com  13 


Pressure 


Let’s  Get  Physical 


CERTIFICATION  When  it  comes 
to  physical  security,  ASIS  is  flexing  its 
muscle.  Shortly  after  9/11,  ASIS  Inter¬ 
national  witnessed  a  deluge  of  organi¬ 
zations  offering  certifications  or 
training  for  various  levels  of  security 
expertise.  ASIS  couldn't  attest  to  the 
validity  of  those  certifications,  so  it 
decided  to  devise  its  own. 

The  ASIS  Professional  Certification 
Board  constructed  a  test,  called  the 
physical  security  professional,  or  PSP, 
certification.  Comprising  15  security 
professionals  with  expertise  in  all 
aspects  of  security,  the  ASIS  board 
worked  with  the  Professional  Exami¬ 
nation  Service,  a  testing  company. 

The  exam  took  two  years  to  write  and 
test,  and  the  organization  will  add  new 
questions  every  year  to  keep  the  exam 
current.  The  multiple-choice  test 
questions  are  41  percent  physical 
security  assessment  (asset  valuation, 
threat  assessment  and  risk  analysis), 
24  percent  integrated  physical  secu¬ 
rity  measures  (identifying  and  apply¬ 
ing  security  measures,  cost  analysis, 
and  documenting  recommendations 
for  facility  planning),  and  35  percent 
implementation  of  physical  security 
measures  (procuring  and  implement¬ 


ing  solutions,  and  monitoring  and 
evaluation  procedures). 

The  PSP  certification  exam  will  be 
offered  for  the  first  time  on  July  19  in 
Anaheim,  Calif.,  and  Washington,  D.C. 
The  exam  is  intended  to  measure  a 
security  practitioner’s  experience  in 
physical  security.  Umbrella  certifica¬ 
tions  such  as  the  CPP  also  include 
physical  security  components,  but 
only  as  one  of  many  subtopics.  Dan 
Kropp,  the  2003  president  of  ASIS, 
does  not  suggest  that  all  security  pro¬ 
fessionals  get  the  PSP  certification, 
but  he  does  recommend  it 
for  those  who  design  and 
install  security  systems. 

The  test  plumbs  an  indi¬ 
vidual’s  knowledge  of  what 
it  takes  to  secure  a  facility. 

Eligibility  requirements 
include  five  years  of  physi¬ 
cal  security  experience,  a 
high  school  diploma  and  a 
clean  criminal  record. 

CSOs  should  consider  their 
security  responsibilities  and  the 
needs  of  their  organizations  when 
deciding  whether  the  PSP  is  right 
for  them. 

-Kathleen  Carr 


'  >, '  >  </: 1  T 1  ’ ,  1 1  ■  Making  an  impression  just  got  easier. 
Scientists  in  the  United  Kingdom  have  announced  the  devel¬ 
opment  of  biometric  devices  that  detect  finger  pressure. 

The  devices,  known  as  piezo-electric  (or  pressure  electric¬ 
ity)  and  piezo-resistive  sensors,  were  developed  by  scien¬ 
tists  Neil  White  and  Neil  Henderson  at  the  University  of 
Southampton  in  the  United  Kingdom  with  colleagues  at  the 
University  of  Twente  in  the  Netherlands.  The  sensors  detect 
the  unique  pressure  stamp  created  by  an  individual  as  he 
taps  out  a  rhythm  or  sequence,  such  as  a  PIN. 

White  and  his  colleagues  studied  the  waveforms  gen¬ 
erated  by  34  subjects  as  they  tapped  on  a  piezo  electric 
sensor  mounted  on  a  smart  card. 

The  waveform  properties  of  the  pulses  created  by  each 
individual  tapping  the  sensor  were  captured  and  compared. 
Waveforms  were  studied  for  unique  characteristics  such  as 
.  height  and  duration.  Like  sound  waves, 
/ >  pressure  points  provide  wavelengths 
) )  that  can  be  measured,  The  sci- 
entists  found  that  the  wave¬ 


forms  could  be  used  to 
uniquely  identify  each 
member  of  the  study 
group. 

The  sensors  can  be 
screen-printed  onto  a 
thin  layer  of  Mylar, 
then  bonded  onto  a 
wide  range  of  objects, 
from  smart  cards  to  PDAs. 


i 


DEPARTMENT  OF  BIG,  SCARY  NUMBERS 


63%  of 

§ecunt 

»: 


uman  error, 

SOURCE:  -COMMITTING  TO  SECURITY:  A  COMPUTING  TECHNOLOGY  INDUSTRY  ASSOCIATION  ANALYSIS  OF  I.T. 

SECURITY  AND  THE  WORKFORCE,"  2003 


I  The  notion  of  capturing  an 
/  individual’s  unique  tapping 

1  pattern  is  not  new  to  the  world 

of  biometrics,  according  to  James  Wayman,  director  of  the 
U.S.  National  Biometric  Test  Center  at  San  Jose  State  Uni¬ 
versity’s  College  of  Engineering.  However,  the  addition  of 
pressure  waveform  patterns  to  keystroke  timing  is  a  new 
twist.  “If  the  pressure  one  uses  on  a  keypad  is  stable 
enough  to  be  used  as  an  identifier,  that’s  new,”  Wayman 
says. 

However,  keypad  pressure  sensors  may  run  up  against 
many  of  the  same  obstacles  as  earlier  keystroke  pattern 
recognition  technology.  Users  must  supply  the  sensors  with 
a  substantial  amount  of  initial  input  in  order  to  train  the 
sensor  to  recognize  the  individual's  unique  waveform 
signature.  Physiological  responses  like  fatigue  can  change 
the  pattern  of  the  user’s  input  in  the  course  of  such  a  test. 
Factors  such  as  posture  or  position  relative  to  the  sensor 
pad  can  also  affect  a  user's  pressure  signature. 

Scientists  suggest  that  more  study  of  pressure  sensors 
is  needed  to  perfect  the  technology  and  reduce  the  error 
rate.  Keep  your  fingers  crossed.  - Paul  Roberts 


14  www.csoonline.com  May  2003 


r' 


Your  Enterprise  Monday  10:32  A.M 


Now  you  can  know 
what,  when,  where 
and  how  data  change 
has  occurred. 


Tripwire®  assures  the  integrity  of  your  data 
and  gives  you  the  ability  to  effectively 
pinpoint  and  manage  undesired  change 
across  all  your  servers  and  network  devices. 
By  establishing  a  baseline  of  data  in  its 
known  good  state,  Tripwire  software  monitors 
and  reports  any  changes  to  that  baseline 
and  enables  rapid  discovery  and  recovery 
when  an  undesired  change  occurs. 

Maximize  System  Uptime 

■  Identify  change  quickly 

■  Enable  quick  restoration  to  a  desired  state 

■  Eliminate  risk  and  uncertainty 

Failsafe  Foundation  for  Data  Security 

Ensure  the  integrity  of  your  data 

■  Enable  detailed  audit  reporting 

■  Granular  visibility  and  control 

Lower  Costs  and  Frustration 

Greatly  reduces  the  time  it  takes  to 
find  and  diagnose  problems 


Tripwire’s  data  integrity  assurance  solutions 
are  the  only  way  to  have  100%  confidence 
that  your  systems  remain  uncompromised. 

In  the  event  of  a  change  in  state,  you’ll 
know  exactly  what,  when,  where  and 
how  change  has  occurred  so  you  can 
recover  quickly. 

For  a  FREE  30-day  fully-functional  demo 
and  copy  of  the  white  paper  “Data  Integrity 
Assurance  in  a  Layered  Security  Strategy...”, 

call  toll-free:  1 -800-TRIPWIRE  (874.7947) 
or  visit  http://cso.tripwire.com  today! 


TftHW 

THE  DATA  INTEGRITY  ASSURANCE  COMPANY 


©  Copyright  2003.  Tripwire  and  the  Tripwire  logo  are  registered  trademarks  of  Tripwire,  Inc. 


m  May  2003 


Jo  Levers  Required 


Briefing 

awec*?*  •  ;.*/$•  .  fy  /■  ■ «  .‘  3 

■■■■  > , : 

?£r;*  •? ./  *.  •  ■  ■  .v> 


OVERNMENT  In  October,  President  Bush  signed 
nto  law  the  Help  America  Vote  Act  of  2002.  Perhaps  medi¬ 
ated  by  the  fact  that  his  own  election  fate  hung  in  the 
hads  for  a  while,  the  president  allotted  $3.9  billion  to  help 
tates  replace  outdated  voting  machines.  Electronic  voting 
achines  will  receive  some  of  the  funding. 

Not  everyone  is  happy  about  the  new  emphasis  on 
voting.  These  systems  make  it  easier  for  corrupt  election 
fficials  or  hackers  to  skew  election  results,  complains 
eter  Neumann,  principal  scientist  at  SRI  International,  a 
onprofit  research  institute. 

Unlike  paper-ballot  systems,  it’s  impossible  to  verify  that 
vote  cast  electronically  is  recorded  properly.  Votes  de¬ 
layed  correctly  onscreen  could  easily  be  recorded  incor¬ 
rectly  within  the  system  or  not  recorded  at  all,  he  contends. 

But  researchers  are  looking  into  potential  solutions  to 
he  problem,  like  an  electronic  system  that  would  print  out 
paper  copy  of  each  voter’s  ballot  after  submission. 

On  the  other  side  of  the  issue,  voting  technology  experts 
ontend  that  the  technology  is  quite  secure.  “These  sys- 
ems  are  very  reliable.  They're  tested  extensively,  and 
hey’re  not  allowed  into  use  until  their  reliability  and  accu¬ 
racy  have  been  demonstrated,”  says  Brit  Williams,  profes- 
or  emeritus  of  computer  science  and  information  systems 
t  Kennesaw  State  University. 

While  computer  systems  are  vulnerable  to  tampering, 
illiams  points  out  that  absentee  paper  ballot  scams  or 
ried-and-true  vote-buying  schemes  are  much  easier  to  pull 
ff  than  the  vast  conspiracy  required  to  manipulate  an 
voting  machine.  -Paul  Roberts 


Rethinking  State  Lines 


INFORMATION  SHARING 

When  all  hell  breaks  loose,  it’s  good  to 
have  friends  nearby.  If  those  friends 
are  in  each  of  the  50  states,  that’s  even 
better.  Information  sharing  and  analy¬ 
sis  centers  (ISACs)  have  formed  in 
several  states  to  share  information  and 
intelligence  about  cyber-  and  physical 
security  threats.  The  ISACs’  aim:  to 
open  the  lines  of  communi¬ 
cation.  “We  want  to  help 
create  a  single  point  of  con¬ 
tact  between  the  states  and 
the  federal  government,” 
says  I  SAC  leader  William 
Pelgrin,  director  of  the  New  York  City 
Office  of  Cyber  Security  and  Critical 
Infrastructure  Coordination.  “Instead 
of  relying  on  private  sector  ISACs  for 
information  on  vulnerabilities,  com¬ 
munication  at  the  state  level  is  a  way 
to  eliminate  reporting  redundancies 
and  create  another  method  to  protect 
critical  infrastructure.”  ISACs  serve  as 
central  collection  points  for  new 
cyberthreats.  They  often  represent 
industry  sectors,  and  their  members 
share  and  evaluate  data  on  vulnerabil¬ 
ities.  Until  now,  the  states  have 
worked  with  third-party  ISACs  but 
haven’t  had  a  framework  to  communi¬ 
cate  among  themselves. 

Representatives  from  the 


UNTIL  NOW, 

STATES  HAVE  NOT 
HAD  A  FRAMEWORK 
TO  COMMUNICATE 
AMONG  THEMSELVES. 


multistate  I  SAC  convene  every  month 
via  teleconference  to  discuss  new  criti¬ 
cal  infrastructure  vulnerabilities.  They 
meet  face-to-face  once  a  year  to  solid¬ 
ify  the  group’s  objectives  and  goals.  So 
far,  14  states  have  joined,  including 
Texas,  Washington  and  all  six  New 
England  states.  Pelgrin  aims  to  have 
all  50  states  in  the  I  SAC  within  a  year. 

The  group  recently 
did  a  self-test  of  its 
reporting  abilities  to 
make  sure  each  state 
knew  what  to  do  in 
case  of  a  major  inci¬ 
dent  or  attack  on  critical  infrastruc¬ 
ture.  During  President’s  Day  weekend, 
each  state  kept  an  eye  out  for  any  sus¬ 
picious  cyberactivity  and  reported  the 
findings  to  Pelgrin’s  office  in  New 
York  via  phone  and  e-mail.  No  inci¬ 
dents  occurred,  but  all  the  member 
states  reported  to  the  central  office  on 
time,  and  Pelgrin  later  sent  sum¬ 
maries  of  each  state’s  results  to  all  14 
ISAC  members. 

“We  wanted  to  test  the  system  dur¬ 
ing  a  relatively  calm  time  period,”  Pel¬ 
grin  explains.  “I’d  rather  work  out  any 
bugs  when  nothing  is  on  the  line  and 
then  have  confidence  that  the  states 
know  what  to  do  in  a  crisis  situation.” 

-Simone  Kaplan 


Catch  My  Drift? 


TECHNOLOGY  Hounds  may  have  a  keen  sense  of  smell,  but 
sometimes  technology  is  a  more  discrete  solution.  London's 
Heathrow  Airport  is  testing  a  new  device  that  may  eventually 
replace  dogs  in  sniffing  out  contraband  like  drugs  and  explosives. 
Passengers  walk  through  an  arch  that  sprays  them  (gently)  with 
plumes  of  air  to  free  trapped  particles  and  vapors  from  the  body 
and  clothing.  The  air  is  drawn  back  into  the  machine  and  analyzed 
for  traces  of  explosives.  The  fully-automated  technology  was 
devised  by  Smiths  Detection.  The  device,  called  the  lonscan  Sen¬ 
tinel  II,  allows  security  staff  to  focus  on  searches  of  carry-ons 
while  the  portal  scans  the  passengers.  The  technology  can  recog¬ 
nize  traces  of  more  than  40  drugs  and  explosives,  and  can  scan 
seven  passengers  per  minute.  (For  more  about  detectors,  see 
“Sensitive  Sorts,”  Page  59.)  -Kathleen  Carr 


www.csoc 


Imagine  an  intrusion  protection  system  that  actually  anticipates  a  hacker's 
behavior.  Checkmate  is  the  newest  breed  of  intrusion  protection,  and  the 
first  to  truly  combine  behavioral  and  computer  sciences.  Created  by 
nationally  recognized  experts  in  psychological  assessment  and  network 
security,  Checkmate  assesses  a  hacker's  intent  and  prevents  damage 

before  it  occurs.  For  more  information, 
visit  www.psynapsetech.com 


Checkmate 


Finally,  an  intrusion  protection  system  with  brains 


mmwMim- 


Game  Over. 


■Mm i 


I'.jfeA 


Hartley  Bernstein  sunk  his  first  career 
in  the  fraud-infested  world  of  the 
penny-stock  market.  He’s  starting  a 
new  one  unmasking  and  revealing  the 
techniques  of  the  fraudsters. 


customers  into  buying  stock.  In  the  1990s, 
they  were  replaced  by  the  Internet.  One  way 
it’s  used  is  by  sending  out  spam  by  the  hun¬ 
dreds  of  thousands.  Those  e-mails  promote 
companies,  and  the  promoters  hire  invest¬ 
ment  advisory  firms  to  say  that  they’re  won¬ 
derful  companies.  They  never  tell  you  any  of 
the  problems,  but  those  are  easy  to  find  if  you 
know  where  to  look.  That’s  what  I  do. 


to  the  companies 
traded  on  the  organ¬ 
ized  exchanges, there 
are  well  over  12,000 
public  companies. 
Only  a  few  hundred 
may  be  doing  wrong 
at  a  given  time,  but 
that’s  still  significant 
to  the  people  losing 
money. 


What  are  some  indica¬ 
tors  of  potential 
penny-stock  fraud? 

When  companies  file 
reports,  that  informa¬ 
tion  is  easily  accessi¬ 
ble.  From  looking  at 
that,  I  can  at  least  get 
a  picture  of  whether  a  company  is  struggling 
and  can’t  pay  its  bills,  or  if  it’s  likely  to  be  able 
to  develop  a  business  plan.  A  lot  of  it  is  look¬ 
ing  at  who’s  been  getting  stock.  I  look  at  stock 
volume  and  check  the  daily  volume  for 
unusual  spikes— especially  for  spikes  that 
come  in  advance  of  news.  That  smacks  of 
insider  trading. 


May  2003 


www.csoonnne.com 


PHOTO  BY  MICHELE  ASSELIN 


Has  it  been  hard  for  you  to  convince  potential 
clients  and  regulators  that  you’ve  turned  over 
a  new  leaf? 

When  I  said  what  I  was  going  to  do,  many  took 
a  wait-and-see  attitude.  However,  a  lot  of  reg¬ 
ulators  and  prosecutors  have  become  very 
supportive.  The  regulators  at  the  SEC  are  very 
active  readers  of  StockPatrol.com.  I’ve  done 
my  best  to  establish  credibility,  and  many 
incidents  of  fraud  have  been  prosecuted  by 
the  SEC  or  NASD  after  I  brought  them  to  their 
attention.  ■ 


A  Penny 
for  Your 
Stock 


INTERVIEW  Hartley  Bernstein  hasn’t 
always  been  one  of  the  good  guys.  As  a  secu¬ 
rities  lawyer  in  the  1990s,  he  represented  a 
number  of  now-notorious  penny-stock  manip¬ 
ulators.  When  Bernstein  became  aware  of 
some  insider  trading  at  a  client  company,  he 
kept  that  knowledge  to  himself.  In  1998,  he 
discovered  that  the  government  intended  to 
charge  him  with  failing  to  disclose  that  inci¬ 
dent.  He  agreed  to  enter  a  guilty  plea  and 
cooperate  with  their  investigation.  He  was 
sentenced  to  two  years  probation.  Through 
that  process,  Bernstein  discovered  that  he  had 
a  knack  for  unearthing  stock  market  fraud.  It 
led  him  to  found  StockPatrol.com,  an  online 
investigative  finance  journal  that  he  runs  out 
of  his  Manhattan  apartment.  We  spoke  to 
Bernstein  about  fraud,  his  rehabilitation  and 
the  future  of  his  stock-snooping  company. 

CSO:  Why  is  the  penny-stock  market  so  ripe 
for  fraud? 

Hartley  Bernstein:  A  lot  [of  fraud]  can  be  seen 
in  the  penny-stock  industry,  but  it’s  not  lim¬ 
ited  to  it.  The  same  practices  take  place  no 
matter  what  the  size  of  the  company.  For 
years,  a  lot  of  penny-stock  fraud  was  perpe¬ 
trated  by  so-called  boiler  rooms— huge  tele¬ 
phone  banks  where  [brokers]  intimidated 


How  did  you  get  the  idea  for  StockPatrol.com? 

The  impetus  came  from  my  experience  repre¬ 
senting  firms  that  didn't  do  right  by  investors. 

I  wanted  to  be  on  the  other  side,  to  use  my 
insight  to  expose  stock  frauds.  What  I  discov¬ 
ered  is  that  there  are  so  many  frauds  out  there 
that  a  day  doesn't  go  by  that  I  couldn’t  write 
about  a  new  one.  It  sounds  scary,  but  when 
you  realize  that  there  are  3,700  companies 
trading  on  the  over-the-counter  market  alone 
and  another  3,900  on  pink  sheets,  in  addition 


areitwi 
someone  e 


e  a  password  is 

ange  it 


am 


likeyovjr 

tly,  don  t 
to  borrow 


TYMINSKI,  VP  AND  CISO  OF  PRUDENTIAL  FINANCIAL 


lilim 


EGY  IMPERATIVE 

-  /  /  u 


HE  ROI  OF  SECURITY 


AL  SOLUTIONS  p.12 


EMERGING 
TECHNOLOGIES, 
EMERGING  RISKS  p.18 


THE  VALUE  OF  PRIVACY 

p.20 


BUSINESS  CONTINUITY 

p.22 


DE  TO  MANAGWffi INFWflW 
R1TY  THREATS  &|USINESS 
INUITY  CHALLENGES 


Custom  Publishing 
Advertising  Supplement 


%m 


Secure  technology  provides  peace  of  mind 


When  you  set  out  to  secure  your  e-business  communications,  success  or  failure 
often  hinges  on  your  technology  partner.  Choose  a  partner  that  4  out  of  5 
FORTUNE  500®  companies  already  trust:  Sterling  Commerce.  Sterling  Commerce 
provides  a  complete  line  of  solutions  for  securely  moving  business  data  within  an 
organization  or  outside  to  customers  and  business  partners. 

To  learn  more  about  the  importance  of  security  in  industry,  please  visit  us  at 
www.sterlingcommerce.com/go/cio  before  May  30,  2003.  The  first  100  visitors 
will  receive  a  free  copy  of  the  popular  hardcover  book,  Network  Security:  PRIVATE 
Communications  in  a  PUBLIC  World,  by  Charlie  Kaufman. 


/  ster,,n9  commerce 


©2003  Sterling  Commerce,  Inc.  ALL  RIGHTS  RESERVED.  Sterling  Commerce  and  the  Sterling  Commerce  logo  are  trademarks  of  Sterling  Commerce,  Inc. 
Sterling  Commerce  is  an  SBC  Communications  Inc.  company. 


CIO  ADVERTISING  SUPPLEMENT 


SECURITY:  NEW  REALITY  CHECK  I  THE  AGENDA 


THE  #1  TOPIC  ON  LEADERS’  MINDS 


elcome  to  the  new 
year  of  Strategic 
Directions  - —  and  to 
what  we  call  the  “new 
reality  check”  of  man¬ 
aging  information 
security  threats  and 
business  continuity 
challenges. 

Strategic  Direc¬ 
tions  is  the  ongoing  series  of  CIO  and 
CSO  supplements,  produced  by  CXO 
Media’s  Custom  Publishing  group, 
focusing  on  the  key  business-critical 
technologies  and  solutions  of  the  day. 
Through  research,  analysis,  case  stud¬ 
ies  and  vendor  profiles,  Strategic  Direc¬ 
tions  provides  an  executive-level  primer 
to  the  hot  topics  on  the  minds  of  sen¬ 
ior  IT  and  business  leaders. 

And  no  topic  is  hotter  right  now 
than  security. 

How  many  times  has  one  of  your 
networks  or  systems  been  attacked  in 
die  last  year?  What  happens  if  your  web¬ 
site  goes  down  for  even  an  hour,  or  if  a 
key  corporate  database  goes  offline  for 
a  day?  What  will  the  interruption  cost 
your  organization? 

And  what  about  your  partners  and 
suppliers?  Can  your  operations  survive  a 
failure  in  telecom  services  or  DNS 
servers? 

This  Strategic  Directions  supple¬ 


ment,  the  first  in  2003,  looks  at  what  it 
takes  to  protect  the  enterprise’s  ability 
to  fulfill  its  mission  —  the  strategies, 
tools  and  techniques  CIOs  and  CSOs 
need  to  secure  information  systems, 
applications  and  networks  from  attack 
and  failure,  accompanied  by  best-prac¬ 
tices  advice  and  in-the-trenches  case 
studies  of  what  works  and  what  doesn’t. 

Among  the  topics  we  tackle  in  this 
edition: 

■  DEALING  WITH  NEW  TECHNOLOGIES: 

They’re  way  cool  and  creeping  inex¬ 
orably  into  the  enterprise,  but  they’re 
also  dangerously  insecure.  Should  you 
ban  them  or  find  ways  to  embrace  them? 
Whatever  you  do,  don’t  ignore  them. 

■  RETHINKING  YOUR  SECURITY  STRATEGY: 
What  you  can  do  to  protect  your  enter¬ 
prise  now. 

■  SOLUTIONS  THAT  EASE  THE  PAIN:  Simpli¬ 
fying  security  management;  multifunc¬ 
tion  appliances;  authentication  alterna¬ 
tives  and  more. 

■  THE  PUSH  FOR  PRIVACY:  Dos  and  don’ts 
that  keep  customers  in  the  fold. 

■  CONTINUITY  PLANNING:  As  demand  for 
the  real-time  enterprise  grows,  so  does 
an  appetite  for  high-availability  and 
fault-tolerant  systems. 

■  ROI  CHECK:  Steps  you  can  take  to  cut 
security  overhead  and  prep  systems 
and  networks  for  future  security 
investments. 


Read  on.  Take  notes.  Tear  out 
pages.  Contact  our  sponsors  for  more 
information.  And  please  let  us  know 
what  you  think  —  about  Strategic 
Directions  in  general,  this  edition  in  par¬ 
ticular  and  ideas  you’d  like  us  to  tackle 
in  future  editions.  Got  any  best-practices 
you’d  like  to  share  with  other  IT/busi- 
ness  leaders?  Send  them  to  me;  I’ll  pass 
them  along  in  our  next  issue. 

Thanks  for  reading  Strategic  Direc¬ 
tions.  And  as  a  familiar  TV  cop  used  to 
say,  “Let’s  be  careful  out  there.”  SD 

Tom  Field 

Director  of  content  development 
CXO  Media  Custom  Publishing 
tfield@cxo.com 


ABOUT  STRATEGIC  DIRECTIONS 

Strategic  Directions  focuses  on 
key  business-critical  technolo¬ 
gies  and  solutions  with  in-depth 
coverage,  analysis  and  market 
data  regarding  today’s  hot  top¬ 
ics.  There  will  be  four  editions  of 
Strategic  Directions  in  2003, 
with  future  issues  focusing  on 
outsourcing,  storage  and  CRM. 
For  more  information,  visit 
www.cio.com/custompub. 


STRATEGIC  DIRECTIONS  3 


CIO  ADVERTISING  SUPPLEMENT 


SECDRITT:  NEW  REALITY  CHECK  THE  SECDRITT  STRATEEY  IMPERATIVE 


THE  SECURITY  STRATEGY 

IMPERATIVE 

ANTICIPATING  A  DISASTER  IS  EASIER 

THAN  RECOVERING  FROM  ONE 


xactly  the  event  you  think 
cannot  happen  will  happen 
if  you  do  not  plan  for  it,” 
says  Dave  Foss,  manager  of 
information  systems  and 
networking  at  MIT. 

Too  often,  though, 
information  security  meas¬ 
ures  develop  haphazardly,  in 
reaction  to  the  last  attack  or 
emergency.  And  too  often  the  tech¬ 
nologies  deployed  deliver  only  partial 
solutions.  The  result:  patchwork 
defense  Hill  of  vulnerabilities. 

These  days,  enterprises  need  more 
than  a  patchwork  defense.  Following 
are  some  bits  of  expert  advice  for 
developing  a  smart,  comprehensive 
security  strategy. 

SURVIVABILITY: 

KNOW  YOUR  VULNERABILITIES 

“What  was  once  a  cottage  industry  of 
hackers  has  now  evolved  into  a  sophis¬ 
ticated  group  of  well-organized,  well- 
connected  and  informed  users  who 
revel  in  their  ability  to  cause  disrup¬ 
tion,”  says  Foss. 

If  security  is  about  technology, 
then  survivability  —  what  folks  at 
Carnegie  Mellon  University’s  Software 


Engineering  Institute  call  “the  capabil¬ 
ity  of  a  system  to  fulfill  its  mission,  in  a 
timely  manner,  in  the  presence  of 
attacks,  failures  or  accidents”  —  is 
about  the  business. 

“The  real  costly  security  concerns 
are  those  which  affect  your  corporate 
bottom  line,”  says  Foss.  “This  includes 
the  perception  that  your  company  can¬ 
not  be  trusted.  If  you  can’t  keep  your 
own  data  secure,  why  should  anyone 
trust  you  with  personal  or  business 
data?” 


When  it  comes  to  developing  a 
security  strategy,  the  first  thing  an  IT 
executive  needs  to  know  is  what’s  at 
risk  in  the  business.  That  means  pre¬ 
cisely  figuring  out  the  vulnerabilities 
and  creating  what  Omni  Consulting 
Group  calls  an  inventory  of  impacted 


resources  and  outcome  probabilities. 

“If  you  look  at  security  in  terms  of 
risk  mitigation,  you  can  map  out  your 
resource  requirements  accordingly,” 
says  Wayne  Mincey,  president  of  the 
technology  services  division  at  Spheri- 
on,  a  Ft.  Lauderdale,  Fla. -based  HR 
and  IT  services  provider. 

“There  are  three  ways  to  deal  with 
risk,”  Mincey  says.  “You  can  live  with 
it,  you  can  avoid  it  or  you  can  transfer 
it  elsewhere.”  Which  path  you  take 
depends  on  the  probability  and  severi¬ 


ty  of  the  risk  in  the  context  of  what  is 
important  to  your  organization.  A 
careful  eye  should  then  be  turned 
toward  identifying  your  vulnerability 
levels  (ideally  in  a  regulated  fashion) 
and  focusing  your  action  plans  around 
Continued  on  page  6 


WHEN  IT  COMES  TO  DEVELOPING  A _ 

SECURITY  STRATEGY,  THE  FIRST 
THING  AN  IT  EXECUTIVE  NEEDS  TO  KNOW 
IS  WHAT’S  AT  RISK  IN  THE  BUSINESS. 
THAT  MEANS  PRECISELY  FIGURING  OUT 
THE  VULNERABILITIES _ 


4  STRATEGIC  DIRECTIONS 


CIO  ADVERTISING  SUPPLEMENT 


SECURITY:  NEW  REALITY  CHECK  I  THE  SECURITY  STRATEGY  IMPERATIVE 


THE  ROI  OF  SECURITY: 

HOW  TO  GET  THE  MONEY  YOU  NEED  -  AND  SHOW  RESULTS 


Security  isn’t  an  investment,  according  to  Christian 
Byrnes,  vice  president  for  security  and  risk  strategies  at 
Meta  Group.  “It’s  a  tax  on  IT-based  assets  required  to 
protect  the  value  of  the  assets,”  he  says. 

And,  arguably,  how  much  tax  you  pay  depends  on  how 
much  risk  you  face.  So  consider  this: 

■  The  number  of  vulnerabilities  has  been  doubling  since 
1998,  says  Carnegie  Mellon  University’s  CERT  Coordination 
Center. 

■  Nearly  20,000  digital  attacks  occurred  this  January, 
according  to  mi2g  Ltd.,  a  digital  risk  management  firm. 
Damages  exceeded  $8  billion.  At  that  rate,  2003  will  see 
more  than  180,000  attacks  doing  S80  billion  to  $100  billion 
worth  of  damage. 

■  During  a  nine-hour  period  on  July  19,  2001,  the  virus  Code 
Red  infected  250,000  computers,  according  to  CERT.  Code 
Red,  SirCam  and  LoveBug  together  infected  an  estimated 
40  million  computers;  repair  efforts  and  lost  productivity 
added  up  to  $12  billion. 

When  it  comes  to  how  much  an  organization  should  spend 
on  security,  Dave  Foss,  manager  of  information  systems 
and  networking  at  MIT,  asks,  “How  much  are  you  willing  to 
risk?” 

Consider  the  cost  of  having  no  security.  Do  you  have 
adequate  recovery  plans  to  put  your  entire  desktop  or 
server  environment  back  in  operation  if  you’re  attacked? 
How  long  can  you  stay  offline?  What’s  the  business  cost  of 
having  every  IT  professional  divert  his  or  her  attention  to 
recovering  your  IT  infrastructure  after  a  security-relat¬ 
ed  disaster? 

The  capital  outlay  that  your  security  program  needs 
depends  on  buy-in  at  the  top  of  your  organizational  food 
chain. 

And  to  get  that  buy-in,  you’ll  have  to  communicate 
your  security  needs  in  business  terms.  This  point  can’t  be 
overstated:  Information  security  efforts  must  support 
business  objectives  and  business  processes. 

Some  security  experts  use  the  10  domain  areas  of 


(ISC)J’s  Common  Body  of  Knowledge  to  elucidate  security 
issues  to  business  managers  and  end-users.  These  10 
domains  are  the  following: 

■  Security  Management  Practices 

■  Security  Architecture  and  Models 

■  Access  Control  Systems  and  Methodology 

■  Application  Development  Security 

■  Operations  Security 

■  Physical  Security 

■  Cryptography 

■  Telecommunications,  Network  and  Internet  Security 

■  Business  Continuity  Planning 

■  Law,  Investigations  and  Ethics 

Some  CIOs  and  CSOs  use  risk  assessments  and  opera¬ 
tional  metrics  —  like  number  of  intrusions  blocked  or 
viruses  foiled  —  to  justify  security  spending  and  educate 
top  management.  And  education  really  is  the  key  to 
obtaining  necessary  funds,  as  well  as  demonstrating  ROI. 

“Security  is  often  viewed  as  a  cost  center,  and  right¬ 
ly  so  —  it’s  a  cost  of  doing  business  today,”  says  Chad 
Robinson,  senior  research  analyst  at  the  Robert  Frances 
Group.  “However,  because  most  companies  seek  to  con¬ 
tinually  ‘increase  profits,  reduce  costs,’  this  often  means 
security  efforts  get  only  minimal  funding.” 

Having  this  mind-set  is  a  serious  mistake,  Robinson 
says:  “Setting  a  budget  for  security  and  then  determining 
what  that  budget  will  allow  almost  guarantees  that  a 
security  effort  will  fail  at  some  point.” 

In  the  end,  says  MIT’s  Foss,  “The  best  advice  is  to 
secure  your  internal  systems  as  much  as  possible  from 
intruders,  realizing  that  no  solution  is  perfect.”  Relay  this 
plan  to  management  and  plan  for  the  worst,  without 
becoming  obsessive.  Hire  experienced  people  and  listen  to 
what  they  tell  you,  but  take  it  upon  yourself  to  make  the 
final  decision  based  on  your  particular  needs.  “Now  relax 
and  have  a  nice  cup  of  latte  at  your  local  Starbucks,  and 
take  a  good  look  around  you,”  Foss  says.  “You  might  end 
up  working  there  if  you  made  the  wrong  decisions.” 


STRATEGIC  DIRECTIONS  5 


CIO  ADVERTISING  SUPPLEMENT 


SECURITY:  NEW  REALITY  CHECK  I  THE  SECURITY  STRATEGY  IMPERATIVE 


FIVE  NOT-SO-EASY  STEPS  TO  MITIGATING  RISK 


Continued  from  page  4 
your  risk  levels. 

Begin  with  an  audit  —  an  honest 
(typically  external)  assessment  of  all 
vulnerabilities. 

“There  is  no  way  to  know  whether 
you  meet  the  standard  of  due  care 
without  some  form  of  external  assess¬ 
ment,”  says  Christian  Byrnes,  vice  pres¬ 
ident  for  security  and  risk  strategies  at 
Meta  Group.  “Just  make  sure  that  the 
program  is  being  assessed  against  some 
defined  reference.  Generic  reviews 
without  a  methodological  basis  are  use¬ 
less  and  misleading.” 

You  can  get  security  audit  help 
from  any  number  of  vendors,  including 
Continued  on  page  22 


m  DETERMINE  WHAT  OPERATIONS  AND  FUNC¬ 
TIONS  ARE  ESSENTIAL  FOR  THE  BUSINESS  TO 
SURVIVE.  Priorities  become  clear  as  you 
figure  out  the  impact  of  losing  each 
operation  and  function. 

■  IDENTIFY  SYSTEMS  AND  PERSONNEL  THAT 
ARE  ESSENTIAL  TO  THE  CONTINUANCE  OF 
THOSE  KEY  BUSINESS  OPERATIONS  AND 
FUNCTIONS.  Then  pinpoint  all  directly 
and  indirectly  related  components  and 
subsystems. 

■  ASCERTAIN  AND  EVALUATE  THREAT  SCENAR¬ 
IOS  FOR  THOSE  OPERATIONS  AND  THEIR  SYS¬ 
TEMS.  This  includes  developing  an  under¬ 
standing  of  what  or  whom  business  assets 
are  being  secured  against  and  identifying 


system  and  process  vulnerabilities. 

■  USE  RISK  EVALUATIONS  TO  CREATE  STRONG 
POLICIES  AND  PROCESSES  —  AND  ENFORCE 
THEM.  Once  established,  review  security 
policies  often  and  expect  to  change 
them  in  response  to  evolving  threats 
and  technology  solutions. 

■  DEVELOP  POLICY-BASED  DEFENSE  IN  DEPTH. 
You’ll  need  layers  of  protection  that 
reduce  visibility  of  and  access  to  critical 
assets  —  including  perimeter  defenses 
(firewalls,  IDSs,  antivirus  programs, 
etc.),  encryption  and  a  secure  network 
operations  center.  Threat  levels  are 
lower  when  attackers  can’t  technologi¬ 
cally  or  physically  touch  their  target. 


CASE  STUDY 


ike  many  organizations,  the  Kansas  Bureau  of  Investigation 

L(KBI),  which  maintains  a  Criminal  Justice  Information 
System  accessed  by  law  enforcement  agencies,  courts  and 
other  organizations  throughout  the  state  of  Kansas,  wanted 
to  migrate  from  its  private  network  to  the  Internet  to  make 
access  to  its  information  more  affordable.  And  although 
KBI  had  to  comply  with  strict  security  and 
auditing  requirements  mandated  by  state  and 
federal  legislation,  KBI’s  IT  consultant,  Norma 
Jean  Schaefer,  believed  that  a  carefully-craft¬ 
ed  configuration  of  state-of-the-art  commer¬ 
cial  products  could  provide  the  high  levels  of 
security  required. 

UP  AND  RUNNING  IN  TWO  WEEKS 

According  to  Schaefer,  Nokia’s  strategy  for  network  security  fit  the 
bureau’s  needs  like  a  glove:  a  purpose-built  platform  implemented  in  a 
choice  of  specially  hardened  security  appliances  that  are  all  pre-configured 
with  the  industry’s  best  security  applications. 

Using  applications  from  three  of  Nokia’s  partners  —  Check  Point 
Software  Technologies,  FishNet  Security  and  Internet  Security  Systems 
(ISS)  —  KBI  was  able  to  get  the  basic  security  provisions  up  and  running  in 
just  two  weeks;  a  remarkable  feat  Schaefer  attributes  to  Nokia’s  approach 
to  security  which  stresses  purpose-built  appliances  pre-configured  with 
best-of-breed  applications. 


“The  IPSO  operating  system  on  the  Nokia  IP  Security  Platform  takes  the 
risk  out  of  installing,  configuring  and  operating  security  appliances,” 
reports  Schaefer.  “There  are  just  too  many  variables  with  a  general-pur¬ 
pose  operating  system  where  errors  in  the  intricate  configuration  can  leave 
the  network  vulnerable.  But  with  the  Nokia  appliances,  I  can  have  a  site  up 
in  about  an  hour  and  sleep  well  knowing  the  configuration  is  solid.” 

$13,000  VS.  $25.00 

KBI  also  appreciates  the  scalable  perform¬ 
ance  available  across  the  family  of  Nokia  IP 
Series  appliances.  The  choice  of  different 
models,  some  available  in  fully  redundant  con¬ 
figurations,  gives  KBI  a  cost-effective  solution 
for  just  about  every  conceivable  need  —  from  the  data  center  to  the 
smallest  field  office. 

“We  have  a  lot  of  small  counties  that  could  not  afford  $13,000  a  year  for 
a  leased-line,”  observes  Ron  Rohrer,  IT  director  at  KBI.  “Now,  even  the 
smallest  departments  can  connect  for  about  $25  a  month.” 

The  project  has  since  grown  to  connect  some  6,000  users  at  250  sepa¬ 
rate  agencies,  and  has  been  an  unqualified  success  with  an  estimated  cost 
avoidance  of  $2.5  million  and  a  300  percent  return  on  investment  during  the 
first  year. 


For  more  information,  contact  Nokia  at  1-877-997-9199  or  visit 
http://www.nokia.com/securenetworksolutions. 


NOKIA 

Connecting  People 


E  STRATEGIC  BtRECIIINS 


CIO  keeps  promise 

Stunned  family  credits  Nokia  IP  ecu 


F°n  dTe  talta^smantoald  Anderson, 

to  take  my  son  plate  ,  be  the  feeling1 

,lid  it  I  don’t  know  how  to  descno 

like,  well,  it’s  like  1 ■  «*1  8° ^  “  ‘  ne 

“^tl’hetndh” employees  cans, 

is  secuie  s  company-wide 

the,;time  and  enj  !  more  time  with  their  fam 
system  -  and  enj  y  ^  spending  his  time 

Anderson  isn  wisely  these  days.  “V 

get  out  of  the  Nof 

Security  Systems, 

employee  Dean  Wed 

“is  freedom.  And  wi 

freedom  I  can  be 
focused,  creative,  anl 

of  all,  more  productive. .  ^^starts  *e  d 

work  away  from  my  o  '  advocate 

ru  admit  iwasnt  the  b.^behonesUl 

’quality  time  hoo  y,  bou,  netwo 

the  family  heats  time  wony  ^  „wit 

nty  hands  ^  "  able  to  spend 
securing  my  though  my  business  is 

with  my  farm  y  what  does  Andersl 

faster  than  ever  before  w  more  time 

Ben,  think  ot  getting  ^  f  t0  a\l  t 

father?  It  s  cooU  ^  feu(  some„^ 


Connecting 
the  right 
people 


Find  out  why  industry  leaders  and  the  world’s 
leading  financial  Institutions  choose  Nokia  security  systems. 


The  more  complex  your  business  becomes,  the 
more  you  need  secure  and  reliable  connections  to 
your  corporate  network.  When  you  combine  the 
world’s  best  VPN/Firewall  software  from  Check 
Point  Software  Technologies  and  Intrusion 
Protection  from  Internet  Security  Systems™ 
(ISS)  with  Nokia  platforms  and  management 
applications,  you  save  time  and  resources, 


gaining  flexibility  and  reliability.  Only  Nokia  takes 
a  complete  system  approach  to  network  integrity 
with  full  integration  of  best-of-breed  applications 
on  purpose-built  platforms  that  are  easy  to  deploy, 
operate  and  manage,  backed  by  First  Call  -  Final 
Resolution  global  support. 

To  spend  more  time  at  home,  visit 
www.nokia.com/get_a_life/americas 


NOKIA 

Connecting  People 


—  Q  3 


CIO  ADVERTISING  SUPPLEMENT 

SECURITY:  NEW  REALITY  CHECK  I  NEW  RULES  &  REGS 


NEW  RULES  &  REGS 

HERE  ARE  SOME  SECURITY  REGULATIONS  AND  CERTIFICATIONS  TO  NOTE 


ntensifying  security-  and  privacy- 
oriented  regulation  —  especially 
in  those  industries  considered 
part  of  critical  infrastructure  (e.g., 
energy,  utilities,  finance,  health¬ 
care,  transportation,  communica¬ 
tion)  —  is  reshaping  the  nature  of 
corporate  officers’  fiduciary 
responsibility  and  what  it  takes  to 
manage  secure  IT  environments. 


Among  the  regulations  with  secu¬ 
rity  implications  are  the  following: 

THE  U.S.  HEALTH  INSURANCE  PORTABILITY 
AND  ACCOUNTABILITY  ACT  (HIPAA),  which 
ensures  the  security  and  confidentiality 
of  health-related  data  and  standardizes 
electronic  data  interchange  for  health¬ 
care  organizations 

THE  GRAMM-LEACH-BLILEY  ACT  (GLBA) 

mandates  HIPAA-like  protections  for 


financial  data. 

THE  NATIONAL  SECURITY  TELECOMMUNI¬ 
CATIONS  AND  INFORMATION  SYSTEMS 
SECURITY  POLICY  (NUMBER  11)  took 
effect  in  July  2002;  it  requires  that  all 
software  purchased  by  the  government 
for  use  in  a  national  security  setting  be 
tested  to  ensure  it’s  secure. 

And  then  there’s  the  SARBANES- 
Continued  on  page  10 


■■■■■ 


COMPANY  PROFILE 


® 1 


ISKtti 


o  you  know  the  impact  to  your  company’s  bottom  line  when 
your  mobile  workforce  is  down?  A  workforce  unable  to 
communicate  with  clients,  without  access  to  vital  informa¬ 
tion,  can  cut  into  productivity,  lead  to  lost  revenue  oppor¬ 
tunities,  erode  market  share  and  damage  profitability.  How 
can  you  safeguard  your  bottom  line  against  the  problems 
associated  with  mobile  workforce  downtime? 

One  global  pharmaceutical  company  found  out  when  it  secured 
Spherion’s  comprehensive  solution  for  laptop  depot  services  to  support  its 
large,  mobile  U.S.  sales  force.  By  minimizing  exposure  to  downtime,  this 
company  enhanced  the  efficiency  of  its  organization  while  preventing  loss 
of  both  critical  data  and  potential  revenue. 

When  people  are  stopped  in  their  tracks  by  stalled  technology,  patience 
may  be  a  virtue  but  it’s  usually  in  short  supply.  That  is  why  this  firm  put  a 
high  premium  on  speed.  It  wanted  24-hour  turnaround  on  repairs  and  no 
more  than  a  60-second  hold  time  on  calls.  It  wanted  80%  of  its  calls 
resolved  immediately  and  it  had  very  little  tolerance  for  hang-ups. 

QUICKLY  AND  SEAMLESSLY 

Moving  quickly  and  seamlessly  to  a  new  support  environment,  Spherion 
commissioned  a  dedicated  team  to  oversee  the  transition  and  ensure  that 
there  was  no  service  disruption  to  the  client’s  sales  force.  It  worked  with 
the  client  to  detail  hiring  criteria,  data  security  documentation,  escalation 
and  notification  procedures,  disaster  recovery  and  staff  training. 


spherion 


Technology 
Services 


Spherion’s  com¬ 
prehensive  break/fix 
solution  provides  a 
dedicated  technical 

support  staff  for  warranty  and  non-warranty  laptop  repairs,  with  a  guar¬ 
anteed  turnaround  time  of  24  hours  for  warranted  items;  secure  data  imag¬ 
ing;  and  inventory  management. 

PERFORMANCE  RESULTS  RESCUE  REVENUE 

Addressing  key  productivity  measures  to  ensure  minimum  downtime  for 
mobile  employees,  Spherion  provided  service  that  surpassed  all  client 
expectations  including  a  40-second  call  response  time,  a  95%  first  call  res¬ 
olution  rate  and  a  3.4%  call  abandon  rate. 

Outstanding  technical  support  safeguards  the  security  of  client  data 
and  protects  employee  productivity.  Laptop  repairs  that  once  took  three 
days  are  now  accomplished  within  a  single  day.  With  more  than  4,700  rep¬ 
resentatives  nationwide,  that  means  a  rescue  of  nearly  $23  million  annually 
in  potential  lost  revenue. 

For  more  information,  contact  www.spheriontechnology.com. 

©  2003  Spherion  Pacific  Enterprises  LLG.  All  rights  reserved.  Spherion  and 
the  Spherion  logo  are  registered  service  marks  of  Spherion  Pacific 
Enterprises  LLC. 


8  STRATEGIC  DIRECTIONS 


MAXIMIZE  I.T  EFFECTIVENESS 


desk  support  24-7,  enabling  them  to  avoid  a  potential  $15 
million  in  lost  business  per  year.  Which  is  why  nearly  90%  of 

continue  to  use  us  to  make  their 


With  over  35  years  of  experience,  Spherion'4  Technology  helps 
clients  maximize  the  value  of  their  IT  investments  through 
effective  planning  and  implementation  of  IT  solutions.  For  a 
leading  pharmaceutical  provider,  this  meant  providing  help 


companies  who  use  us 

workplace  work  better. 

' 


Technology 


Services 


CIO  ADVERTISING  SUPPLEMENT 


SECURITY:  NEW  REALITY  CHECK  [  NEW  RULES  &  REGS 


OXLEY  ACT,  which  went  into  effect  in 
mid-2002,  enacting  a  slew  of  new  cor¬ 
porate  recordkeeping  anti  auditing  rules 
that  are  bound  to  shake  up  how  IT  pro¬ 


fessionals  store  and  protect  data.  The 
added  costs  of  implementing  the  act’s 
new  information  disclosure  require¬ 
ments  will  help  justify  deploying  and 


PROFILE 


s  the  global  network  econ¬ 
omy  grows  in  size  and  com¬ 
plexity,  information  securi¬ 
ty  and  privacy  protection 
require  serious  reassess¬ 
ment  and  modification. 
Organizations  are  allowing  more  entry  privi¬ 
leges  to  their  infrastructures  to  a  much  wider 
population  of  partners  and  processes  than 
ever  before,”  notes  Harry  DeMaio,  Certified 
Information  Systems  Security  Professional 
(CISSP)  and  (ISC)2  board  of  directors  member. 
“In  a  sense,  organizations 
have  lowered  the  draw¬ 
bridge  to  their  fortress¬ 
es.” 

So,  how  does  an 
organization  defend  itself 
in  this  new  interdepend¬ 
ent  and  collaborative  environment? 

“Trust,”  DeMaio  says.  “A  mutual  trust 
among  a  range  of  partners  and  allies  directly 
and  interactively  sharing  infrastructure,  appli¬ 
cations,  data  and  other  resources.” 

TRUST:  THE  ULTIMATE 
FIREWALL 

Trust  in  the  Internet  community,  says  DeMaio, 
requires  answers  to  these  questions: 

■  Can  I  trust  the  organizations  and  infrastruc¬ 
tures  on  which  I  depend? 

■  Can  they  trust  me? 

■  Together,  can  we  trust  our  common  infra¬ 
structure  and  processes? 

“Trust  is  built  on  reciprocal  protection, 
clear  responsibilities  and  accepted  stan¬ 
dards,”  he  explains.  “More  than  tools  and  tech¬ 
nology,  the  trustworthiness  of  the  technolo¬ 


gists,  designers,  managers  and  administrators 
themselves  will  continue  to  spell  the  difference 
in  the  stability,  growth  and  effectiveness  of 
complex,  networked  information  systems. 
Trust  is  the  ultimate  firewall,”  he  says. 

CERTIFIED  CYBER-SECURITY 
WORK  FORCE 

“A  certified  cyber-security  work  force  has 
long  demonstrated  professional  excellence, 
mutual  trust  and  jealously-guarded  ethical 
reputations,”  says  DeMaio.  “The  need  for  such 
standards  has  never 
been  greater.  New 
cyber-threats,  exponen¬ 
tially  growing  networks, 
increased  process  com¬ 
plexity  and  quantum 
leaps  in  the  information 
user  population,  make  peak  professionalism  in 
every  sense  of  that  word  a  necessity  for  the 
information  security  community. 

“Professionalism  is  crucial  regardless  of 
the  type  or  level  of  security  practice,”  he 
adds.  “To  provide  the  strongest  index  of  trust¬ 
worthiness  for  the  growing  diversity  of  pro¬ 
fessionals  in  the  information  trust  community, 
credentialing  bodies,  such  as  the  International 
Information  Systems  Security  Certification 
Consortium  (ISC)2,  must  continue  to  enhance 
professional  certifications. 

“That  way,  as  the  information  security 
industry  evolves,  the  workforce  can  continue 
to  evolve  and  bring  trust  to  the  global  Internet 
community.” 


For  more  information,  contact  (ISC)2  at 
(508)  875-8400  or  visit  www.isc2.org. 


ensuring  the  survivability  of  an  enter¬ 
prisewide  set  of  (secure)  business  appli¬ 
cations  built  around  a  (secure)  database. 

These  compliance  reciuirements 
are,  in  turn,  triggering  new  need  for 
the  Generally  Accepted  System  Securi¬ 
ty  Principles  (GASSP),  expected  to  be 
renamed  the  Generally  Accepted  Infor¬ 
mation  Security  Principles  (GAISP), 
which  establish  common  compliance 
elements  that  can  be  mapped  to  securi¬ 
ty  regulations  and  standards. 

Meanwhile,  ISO  17799  is  evolving 
into  a  de  facto  standard  for  high-level 
definition  of  an  information  security 
architecture. 

Those  who’ve  met  their  regulato¬ 
ry  obligations  will  need  to  show  that 
via  certification  and/or  accreditation. 

“TRUST  IS _ 

THE  ULTIMATE _ 

FIREWALL.”  _ 

Now  the  U.S.  Department  of 
Defense  requires  that  security  products 
(and  security-enabled  products)  be 
Common  Criteria-certified,  and  the 
U.S.  federal  government  may  adopt 
this  certification  standard. 

The  International  Information  Sys¬ 
tems  Security  Certifications  Consor¬ 
tium’s  Certified  Information  Systems 
Security  Professional  (CISSP)  and  Sys¬ 
tem  Security  Certified  Practitioner 
(SSCP)  certifications  become  increasing¬ 
ly  important  as  a  means  of  ensuring  base¬ 
line  capabilities  of  security  professionals. 

“More  than  tools  and  technology', 
the  trustworthiness  of  technologists, 
designers,  managers  and  administrators 
themselves  will  continue  to  spell  the 
difference  in  the  stability,  growth  and 
effectiveness  of  complex,  networked 
information  systems,”  observes  Harry 
DeMaio,  CISSP,  and  (ISC)2  board  of 
directors  member.  “Trust  is  the  ulti¬ 
mate  firewall.”  SD 


10  STRATEGIC  DIRECTIONS 


IS  THE  ULTIMATE 


FIREWALL 

(ISC)2-  SECURITY  THAT  TRANSCENDS  TECHNOLOGY  " 


Even  organizations  with  identical  security  technology  can  have  information  systems  whose  trustworthiness  isn’t 
comparable.  Skilled,  motivated  and  reliable  security  architects,  designers,  implementers,  administrators  and 
managers  make  the  difference.  Experts  whose  abilities  are  coveted,  because  as  holders  of  CISSP®  and  SSCP® 
credentials,  they’re  the  trusted  constituents  of  the  non-profit  consortium  of  industry  leaders  known  as  (ISC)2". 

(ISC)2  is  a  non-profit  consortium  of  industry  leaders  whose  charter  is  to  compile  and  maintain  the  most 
comprehensive  Common  Body  of  Knowledge  (CBK)™.  And  from  this  CBK,  develop  the  industry  standards  for 
training  and  credentialing.  Those  professionals  who  earn  CISSPs  and  SSCPs,  share  the  credibility  of  the 
internationally  recognized  Gold  StandardSM  in  information  security. 


For  more  information  on  training  or  certification,  please  call 

1.888.333.4458 

or  visit  www.isc2.org 


(i  sc) 


CISSP" 


SSCP' 


CIO  ADVERTISING  SUPPLEMENT 


SECURITY:  NEW  REALITY  CHECK  I  REAL  SOLUTIONS 


REAL  SOLUTIONS 

BEST  PRACTICES  FOR  PROTECTING 
THE  ENTERPRISE  INSIDE  AND  OUT 


oundaries  between  “us” 
and  “them,”  between 
“inside”  and  “outside” 
are  quickly  disintegrating 
as  employees,  customers, 
partners  and  even  data¬ 
bases  interact  across  time, 
space  and  corporate  con¬ 
fines. 

The  same  technolo¬ 
gies  that  enable  business  also  make 
protecting  assets  and  ensuring  conti¬ 
nuity  of  operations  a  relentless  chal¬ 
lenge. 

To  protect  the  ever-blurry  enter¬ 
prise  perimeter,  the  National  Strategy 
to  Secure  Cyberspace,  released  by  the 
U.S.  government  in  February,  calls  for 
improvement  in,  among  other  things, 
key  Internet  protocols  and  software 
and  hardware  components. 

Some  tips  for  protecting  the  enter¬ 
prise: 

SOLUTION:  BUILD  SECURITY  INTO 
SOFTWARE  DESIGN 

Many  business  leaders  think  boosting 
software  security  should  top  any  security 
list,  and  experts  point  out  that  software 
defects  or  inadequate  configurations 
have  contributed  to  every  major  attack 
on  the  Internet  since  1986.  Too  often 
die  security  patches  that  are  supposed  to 
eliminate  vulnerability  instead  wreak 
havoc  on  other  applications,  forcing  IT 
staffers  to  choose  between  two  evils. 


In  an  analysis  of  45  e-business 
applications,  security  consulting  firm 
@stake  found  that  almost  half  the  secu¬ 
rity  defects  it  discovered  were  prevent¬ 
able;  the  best-designed  apps  have  just 
one-quarter  as  many  flaws  as  the  worst- 
designed.  The  most  secure  apps,  ©stake 
concluded,  carry  80  percent  less  busi¬ 
ness-adjusted  risk  than  the  least  secure. 

The  only  long-term  solution  to  this 


LESSONS  FROM  9/11 

These  security  lessons  were 
learned  the  hard  way,  after  the 
devastating  terrorist  attacks  of 
Sept.  11,  2001: 

■  MOVE  SERVERS  INTO  HARDENED 
DATA  CENTERS.  Lower  real  estate, 
labor  and  energy  expenses  offset 
technical  and  regulatory  hassles 
as  well  as  costs  of  building  and 
running  secure  structures  (esti¬ 
mated  at  five  to  10  times  regular 
old  office  space  in  primary  cities). 

■  BRING  RECOVERY  SITE  PROVISIONING 
IN-HOUSE.  Service  provider  price 
increases  and  demand  for  higher 
service  levels  are  making  this 
more  cost-efficient. 

■  KEEP  LESS  DISTANCE  BETWEEN 
OPERATIONAL  AND  RECOVERY  SITES. 
Too  much  site  separation  hikes 
costs,  hinders  recover  times. 


problem,  for  both  CIOs  and  software 
vendors,  is  to  integrate  comprehensive 
security  planning  and  testing  into  their 
application  development  processes,  says 
Jeff  Artis,  senior  vice  president  of 
national  solutions  at  Spherion,  which 
provides  managed  services  and  profes¬ 
sional  services.  “They  should  develop  a 
security  lifecycle  that  matches  their 
development  lifecycle,”  Artis  says. 
“Application  security  is  much  like  qual¬ 
ity  assurance  and  testing:  Good  results 
come  from  careful  planning  and  rigid 
adherence  to  a  well-defined  process.” 

@stake  points  to  the  following  best 
practices  in  design,  coding  and  deploy¬ 
ment  that  differentiate  the  most  secure 
applications: 

■  Early  design  focus  on  user  authenti¬ 
cation  and  authorization; 

■  Mistrust  of  user  input; 

■  End-to-end  session  encryption; 

■  Safe  data  handling; 

■  Elimination  of  administrator  back¬ 
doors,  misconfigurations  and  default 
settings; 

■  Security  quality  assurance. 

SOLUTION:  PUT  YOUR  DATA  IN  A 
VAULT 

“There  Ve  been  millions  and  millions  of 
dollars  spent  largely  on  deploying  point 
products  and  solutions  at  the  perimeter 
of  the  enterprise,”  notes  Ed  Gregory, 
president  of  Cyber- Ark,  a  Dedham, 
Mass. -based  information  security  ven- 


12  STRATEGIC  DIRECTIONS 


CIO  ADVERTISING  SUPPLEMENT 


SECURITY:  NEW  REALITY  CHECK  I  REAL  SOLUTIONS 


NEW  SOLUTION 


THE  INSPIRATION  BEHIND  PATENTED  VAULTING  TECHNOLOGY: 

EXPERIENCE  (AND  AN  EMBARRASSING  MOMENT) 


During  Alon  Cohen’s  tenure  as  the  head  of  the  System  and 
Security  Department  for  the  Israeli  military,  a  personal  elec¬ 
tronic  letter  to  his  girlfriend  found  its  way  into  the  wrong  hands. 

Embarrassing,  yes;  but,  more  importantly,  he  knew  that 
despite  a  massive  investment  in  traditional  security  wares,  holes 
existed  and  exposure  of  sensitive,  confidential  electronic  informa¬ 
tion  occurred.  In  his  role  as  a  civilian  security  expert  he  would  dis¬ 
cover  it  was  a  widespread  problem. 

Incidents  like  these  forced  Cohen  to  turn  the  traditional 
perimeter  security  model  upside  down  and  inside  out,  applying  the 
same  vaulting  concepts  that  banks  used  to  protect  physical  money 
to  information  security.  In  1999,  he  co-founded  Cyber-Ark  and  built 
the  industry’s  first  vaulting  solutions,  offering  two  highly  integrat¬ 
ed  information  security  solutions  for  enterprise  networks.  Today, 
the  Network  Vault  and  the  Inter-Business  Vault  are  deployed  in 
over  50  Global  1000  companies. 

ONE  WAY  IN-ONE  WAY  OUT 

Instead  of  only  trying  to  protect  the  enterprises’  perimeter, 
Cyber-Ark’s  patented  Vaulting  Technology  creates  a  safe  haven  for 
protecting  and  sharing  sensitive  information  such  as  account 
statements  and  transaction  files  with  customers  and  business 
partners.  While  complimenting  existing  perimeter  security  invest¬ 
ments,  the  Vault  is,  in  fact,  highly  secure  regardless  of  the  quality 
of  the  perimeter  investment.  This  approach  means  important 


information  and  data  in  the  Vault  remains  protected  from  security 
threats  and  misuse  occurring  outside  the  Vault. 

By  splitting  the  server  interfaces  from  the  storage  engine, 
Cyber-Ark  has  removed  the  traditional  tradeoff  between  security 
and  accessibility,  creating  a  single  data  access  channel  —only  one 
way  in  and  one  way  out  —  protected  with  many  layers  of  tightly 
integrated  security  and  performance  technologies  for  maximum 
protection  of  data  stored  inside  the  vault. 

SOLUTION  DEPLOYED  IN  MINUTES 

Sound  complex?  Not  for  users,  who  get  a  dramatically  simplified 
approach  to  information  security  that  works  with  all  the  familiar 
applications  (Word,  PowerPoint,  E-mail,  Online  Banking,  etc.)  and 
doesn’t  require  any  new  training. 

Administrators  with  little  or  no  security  experience  can 
deploy  the  solution  in  just  minutes,  and  easily  audit  and  manage  it 
without  an  army  of  security  professionals.  With  Cyber-Ark,  acces¬ 
sibility  finally  doesn’t  need  to  trump  security. 

For  more  information  on  Vaulting  Technology,  contact 
Cyber-Ark  at  www.cyber-ark.com. 

Cyber-^rk 


dor.  “While  these  are  good  products  in 
their  own  right,  they’re  very  general- 
purpose  in  nature  —  and  despite  huge 
investments,  statistics  show  that  80  per¬ 
cent  of  all  companies  surveyed  have 
experienced  financial  loss  due  to  secu¬ 
rity  breaches.  Something  fundamental 
is  not  working  the  way  it  needs  to.” 

Rather  than  try  to  protect  the 
entire  perimeter  of  a  network,  which 
experts  and  data  suggest  is  impossible, 
Gregory’s  firm  seeks  to  secure  one 
place  in  the  network  regardless  of  its 
overall  security:  an  electronic  vault. 

Kris  Zupan,  CEO/CTO  of  e-DMZ 
Security,  a  provider  of  co-managed  secu¬ 


rity  services  and  reseller  of  Cyber-Ark’s 
vaulting  technology  says,  “Vaulting  tech¬ 
nology  provides  an  effective  alternative 
for  organizations  that  have  the  require¬ 
ment  to  securely  share  data. 

“Even  in  organizations  lucky 
enough  to  have  encrypted  email  across 
the  enterprise,  you’re  still  stuck  with 
the  problem  of  versioning,  retention, 
and  delegation  of  access,”  Zupan  says. 
“Vaulting  technology  can  allow  the 
data  owners  to  proactively  protect  and 
share  their  data  with  a  minimum  of 
overhead.” 

Zupan,  who  spent  more  than  a 
decade  viewing  security  from  the  user 


side  of  the  equation  at  a  Fortune  500 
financial  services  firm  and  later  at  a 
Fortune  500  chemical  manufacturer, 
says  vaulting  is  an  enabling  technology 
specifically  designed  for  “people  who 
do  security.” 

Vault  solutions,  such  as  those  from 
Cyber- Ark,  DigitalNet  and  others,  can 
safeguard  critical  data  and  applications. 
Cyber-Ark’s  offerings,  for  example, 
support  a  wide  array  of  secure  ID, 
tokens,  smartcards  and  digital  certifi¬ 
cates,  and  enable  organizations  to  cre¬ 
ate  a  secure  location  in  the  network 
where  vital  information  can  be  protect¬ 
ed  and  shared  within  an  enterprise  as 


STRATEGIC  DIRECTIONS  13 


CIO  ADVERTISING  SUPPLEMENT 


SECURITY:  NEW  REALITY  CHECK 


REAL  SOLUTIONS 


well  as  among  partners,  customers  and 
suppliers. 

SOLUTION:  LAYERS  OF  INTRUSION 
DETECTION  AND  PREVENTION 

Stopping  attacks  and  preventing  intru¬ 
sions  require  several  layers  of  defense. 

Firewalls  make  it  harder  for  attack¬ 
ers  to  gather  intelligence  on  services, 
specific  implementations  and  possible 
vulnerabilities.  Intrusion  detection  sys¬ 
tems  (IDSs)  send  up  alarms  when  attacks 
get  past  firewalls.  Most  experts  agree 
that  these  solutions  should  be  used 
together  along  with  such  other  tools  as 
antivirus  scanners  and  encryption. 

“Most  of  the  damage  done  by 
viruses,  Trojans  and  worms  in  the  last 
two  years  was  entirely  a  side-effect  of 


overloading  the  networks,”  says  Christ¬ 
ian  Byrnes,  vice  president  and  service 
director  for  security  and  risk  strategies  at 
Meta  Group.  “None  of  the  broadly  dis¬ 
tributed  malicious  code  has  carried  a 
destructive  payload  —  that  is  an 
extremely  important  issue.  One  broadly 
spread  virus  with  the  replication  ability 
of  Code  Red,  NIMDA  or  SQLK  Slam¬ 
mer,  but  with  an  intentionally  destruc¬ 
tive  payload,  would  do  very  significant 
economic  damage  to  the  United  States, 
as  well  as  the  rest  of  the  world.  More 
companies  could  be  destroyed  this  way 
than  by  any  previous  disaster.” 

Although  they’re  important  lines 
of  defense,  antivirus  scanners,  firewalls 
and  IDSs  are  reactive  solutions.  Signa- 
Continued  on  page  16 


FIREWALL  STRATEGIES 

■  PLAN  FOR  MORE  THAN  ONE.  A  firewall 
should  be  dedicated  to  filtering  one  type 
of  traffic,  and  applications  should  be 
sorted  into  groups  according  to  their 
security  requirements. 

■  CONSIDER  INSTALLING  FIREWALLS  ON 
INTERNAL  SYSTEMS  as  well  as  public 
servers,  to  defend  against  internal 
misuse. 

■  DON’T  OVER-DEPLOY.  Instead,  use  fire¬ 
walls  in  conjunction  with  other  tech¬ 
nologies,  such  as  antivirus  software  and 
intrusion  detection  systems. 

■  DISABLE  UNUSED  SERVICES. 

■  MONITOR  YOUR  FIREWALLS  REGULARLY, 
looking  at  both  inbound  and  outbound 
connections. 


COMPANY  PROFILE 

1  I  1  B  I*  1  b  l  H  Hf  i  n  a®  i  i  3  /  i  n  8  IBs  ?•  I  tiFikf\*IIkl*  V*  i  V  9i  I  I  t  1  a  SHw  \  11  i  \  B  BB  n  I  I  ms  v  a  |  f  t  i  sSB  ■  i  i  fliiflkliil 

>  <  jV/v  «  ;  {  L  J  *  \  J  jj  pMu  A  i,  s  <  s  I  a,  i  «  v  , 1  j  A  1  B  i  l  1  J  I  1  j  ■  M  a  k  J  I  11a  M  M  |  i  HI  n  k  I  a  1  I  I  ■  ~|j  I  1  I  l  J  i  1  I  I  I 


Computer  Associates  (CA)  understands  that  today’s  organi¬ 
zations  need  to  be  in  complete  command  of  their  enter¬ 
prise  security.  CA’s  eTrust™  security  solutions  holistically 
address  all  aspects  of  business  security,  enabling  an  enter¬ 
prise  to  quickly  and  effectively  embrace  new  opportunities, 
improve  operational  efficiencies,  reduce  costs,  and  proac¬ 
tively  manage  virtually  all  security  threats  and  risks  to  the  organization. 
CA’s  eTrust  solutions  are  grouped  into  three  areas: 
eTrust™  Identity  Management;  eTrust™  Access 
Management;  and  eTrust™  Threat  Management; 
each  of  these  can  be  consistently  and  visually  man¬ 
aged  through  eTrust™  Security  Command  Center. 
eTrust  Identity  Management  solutions  central¬ 
ize  and  automate  the  creation  of  user  accounts  and 
approval  workflows,  provisioning  both  IT  and  non-IT 
resources  while  reducing  costs  through  process  automation.  It  also 
increases  user  productivity  through  integrated  single  sign-on  and  self- 
service,  including  password  resets.  Supported  by  strong  authentication 
and  a  scalable  identity  repository,  CA’s  eTrust  Identity  Management  solu¬ 
tions  manage  every  aspect  of  the  business  identity. 
eTrust  Access  Management  solutions  secure  critical  business  assets 
by  centralizing  and  strengthening  security,  regardless  of  operating  system, 
platform  or  business  application  and  whether  or  not  resources  are  web- 
based.  This  technology  also  offers  the  strongest  possible  protection 


through  active  dynamic  security  —  preventing  both  internal  breaches  and 
external  security  attacks  while  monitoring  violations  across  all  access 
devices.  Through  the  consistent  application  of  access  policies,  organiza¬ 
tions  can  deliver  productivity-enhancing  personalization  while  reducing 
management  costs. 

eTrust  Threat  Management  solutions  detect,  analyze,  warn,  prevent 
and  cure  attacks,  across  the  environment.  Through  active  and  adaptable 
risk  mitigation,  threats  are  immediately  isolated 
through  multiple  detection  techniques,  its  spread  is 
contained  and  lastly  extinguished.  CA’s  eTrust 
Threat  Management  solutions  empower  organiza¬ 
tions  to  adapt  their  security  defenses  to  new  situa¬ 
tions  without  increasing  operational  overhead  or 
costs. 

eTrust  Security  Command  Center  reduces, 
aggregates,  correlates  and  prioritizes  disparate  security  data  across  the 
enterprise  by  converting  it  into  intelligent,  actionable  information  that  can 
be  managed  from  a  single,  centralized  location.  eTrust  Security  Command 
Center’s  “See  it  All,  Manage  it  All”  solution  allows  you  to  gain  full  security 
command-and-control. 

With  a  holistic  approach  to  managing  security  across  the  entire  envi¬ 
ronment,  CA’s  eTrust  security  solutions  provide  the  power  to  secure. 


For  more  information,  contact  (631)  342-6000  or  visit  www.ca.com. 


14  STRATEGIC  DIRECTIONS 


Can  your  antivirus  software  provide  double  the  scanning  power?  Ours  can. 

Making  sure  your  company  is  secure  gets  more  and  more  difficult  every  day.  That's  why  eTrust™  Antivirus  v7 
from  Computer  Associates  uses  dual  scanning  engines  to  ensure  comprehensive  virus  protection.  It  processes 
data  in  real  time  to  search  out  and  eliminate  viruses,  and  it  also  scans  files  during  prescheduled  and 
off-peak  hours.  All  at  the  cost  of  most  single-engine  AV  products.  It's  more  than  just  twice  the  protection. 
It's  twice  the  peace  of  mind.  ca.com/etrust/antivirus 


eTrust™  Antivirus 


Computer  Associates® 


2003  Computer  Associates  International,  Inc.  (CA).  All  rights  reserved.  eTrust"  Antivirus  was  formerly  known  as  eTrust"  Inoculate/!.* 


CIO  ADVERTISING  SUPPLEMENT 


SECURITY:  NEW  REALITY  CHECK 


REAL  SOLUTION 


S 


ture-based  IDSs,  for  example,  will  spot 
only  the  attacks  they’ve  been  pro¬ 
grammed  to  recognize,  leaving  a  “win¬ 
dow  of  opportunity”  between  time-of- 
attack  and  release  of  patches.  Some 
thoughts  on  these  solutions: 

Application  firewalls.  Designed  to 
protect  specific  services  from  attack,  an 
application  firewall  uses  definitions  of 
acceptable  input  to  recognize  and  halt 
abnormal  protocol  sessions  before  they 
reach  the  application  itself.  Thus  appli¬ 
cation  firewalls  can  eliminate  entire 
classes  of  vulnerabilities,  such  as  format 
string  attacks  or  buffer  overflow  attacks. 


Beyond  detection:  preventing 
intrusions.  By  inspecting  system  calls 
against  behavioral  rules,  intrusion  pre¬ 
vention  solutions  such  as  those  from 
Watchguard,  Cylant  and  SecureWave 
can  catch  all  manner  of  bad  stuff, 
including  illegitimate  system  calls,  reg¬ 
istry  changes,  and  such  malware  as 
Trojan  horses,  backdoors,  rootkits, 
worms.  System  administrators  can  con¬ 
trol  with  some  delicacy  the  rules  by 
which  intrusion  prevention  solutions 
judge  application  behavior,  imposing 
limitations  by  application,  class  of  user, 
platform  and  so  on. 


Gateway  IDS:  firewalls  and  IDS 
converge.  Integrating  multiple  meth¬ 
ods  of  intrusion  detection  (signatures, 
protocol  and  traffic  anomalies)  with 
firewall  features,  gateway  IDSs  —  like 
those  from  Internet  Security  Systems 
(ISS),  Top  Layer  Networks  and 
NetScreen  —  operate  in  the  data  path 
so  they  can  respond  to  attacks  by 
actively  dropping  packets.  ISS’s 
RealSecure  Guard  analyzes  traffic  in 
real  time  and  blocks  attacks,  creating  a 
virtual  TCP/IP  stack  to  reassemble 
packets  and  decide  if  the  traffic  should 
be  permitted  or  blocked.  Top  Layer 
Networks’  ASIC-based  Attack  Mitiga- 
tor  has  been  preconfigured  to  identify 
HTTP  URI  exploits,  denial  of  service 
attacks,  Trojan  horses  and  other  hybrid 
threats  using  advanced  “normalized” 
deep  packet  and  multipacket  HTTP 
URI  matching  and  wildcard  checking. 

Trusted  operation  systems.  For 
mission-critical  servers  that  don’t 
change  a  lot,  you  can  use  trusted  OSs, 
industrial-strength  tools  that  protect 
the  entire  operating  environment. 
Trusted  OSs  compartmentalize 
resources  (processes,  ports,  network 
interfaces,  files),  enforce  mandatory 
access  control  and  employ  least-privi¬ 
lege  user  restrictions.  Trusted  OSs  cost 
more  and  take  longer  to  configure  cor¬ 
rectly,  but  offer  strong  security  for  host 
systems.  To  standard  trusted  OS  func¬ 
tions  Computer  Associates’  cTrust 
Access  Control  adds  central  manage¬ 
ment  and  policy  sharing  across  systems, 
centralized  auditing  for  all  systems  and 
synchronization  with  mainframe 
authentication.  Nokia’s  IPSO  is  an 
appliance-optimized,  clusterable  OS 
that’s  used  as  the  secure  OS  for  fire¬ 
walls,  VPNs  and  intrusion  protection 
systems.  It  also  supports  operator- to- 
operator  roaming  border  gateway 
applications  and  is  put  to  work  within 
mobile  GSM,  GPRS  and  3G  networks 
to  route  and  control  mobile  data. 


THE  INS  &  OUTS 

OF  OUTSOURCING  SECURITY 

When  should  an  organization  consider  seeking  to  finding  exposures  that  your  team  might  not 
outside  help  to  ensure  its  information  securi-  be  aware  of,  an  objective  examination  can  pro- 
ty?  Here  are  the  most  common  recommenda-  vide  new  perspectives  on  vulnerability  and 
tions:  risk,  make  recommendations  for  continuous 

audits:  To  reduce  the  dangers  of  security  flaws  improvement  or  simply  verify  an  expected  level 
in  software,  says  Chad  Robinson,  senior  of  protection. 

research  analyst  at  the  Robert  Frances  Group,  cost  reduction:  Managed  security  services  can 
“IT  executives  should  arrange  for  regular  save  midsize  companies  as  much  as  80  percent 
audits  of  internally  developed  code  by  both  of  in-house  security  costs. 


automated  vulnerability  assessment  tools  and 
trained  security  professionals.” 

Outside  experts  can  keep  your  security 


As  for  criteria  for  selecting  a  managed 
security  services  provider,  consider  these  tips: 
■  Make  sure  the  provider  is  well-funded.  That 


solutions  up  to  date,  too.  John  Stehman,  prin-  means  at  least  several  million  dollars  of  capital 
cipal  analyst  at  the  Robert  Frances  Group,  available.  And  check  the  provider’s  plans  for 
advises  getting  experts  to  annually  “check-  tough  times. 

point  the  existing  solution  against  best  of  ■  Take  a  close  look  at  the  provider’s  security 
breed  and  make  sure  it  is  still  effective  against  operations  centers.  When  doing  your  own  due 


prevalent  types  of  attacks.” 


diligence,  insist  on  bringing  along  a  specialist 


vulnerability  assessments:  Most  CIOs  and  CSOs  who  can  assess  the  provider’s  technology  and 
recognize  that  periodic  security  reviews  have  processes. 

become  an  operational  necessity,  says  Jeff  ■  Check  out  the  provider’s  policies  and  proce- 
Artis,  senior  vice  president  of  national  solu-  dures. 

tions  at  Spherion’s  technology  services  divi-  ■  Ensure  that  provider  can  handle  your  busi- 
sion.  “Even  though  the  internal  IT  department  ness.  Even  if  data  volumes  double  or  triple, 
may  do  an  outstanding  job,  an  independent  ■  Find  out  how  the  provider’s  current  clients 

review  from  an  outside  expert  provides  sever-  regard  support  services.  Were  issues  resolved 

al  important  benefits,”  Artis  says.  In  addition  promptly,  satisfactorily? 


16  STRATEGIC  DIRECTIONS 


CIO  ADVERTISING  SUPPLEMENT 


SECURITY:  NEW  REALITY  CHECK  I  REAL  SOLUTIONS 


NEW  SOLUTION 

A  GO-MANAGED  SOLUTION  FOR  SECURITY  AND  CONTROL 


iiB  n  today’s  dynamic  environment,  security  needs  to  be  man- 
laged  constantly  and  consistently,”  notes  Kris  Zupan, 
CEO/GTO  of  e-DMZ  security.  “Changing  threats  require  more  spe¬ 
cialized  expertise  than  ever  before,  but,  unfortunately  many 
organizations  lack  an  adequate  supply  of  qualified  security  pro¬ 
fessionals.” 

Moreover,  turning  to  traditional  managed  security  solutions 
may  no  longer  be  an  optimum  choice,  says  Zupan,  because  “they 
take  away  too  much  control,  while  legislation  like  HIPAA  demands 
companies  to  be  in  control  like  never  before.” 

The  solution,  he  explains,  can  be  found  in  Co-Managed 
Security  Services  (CSS),  which  adds  a  well-established  security 
team  to  an  organization’s  existing  arsenal  of  defensive  capabili¬ 
ties.  Unlike  traditional  Managed  Security  service  clients,  CSS 
users  retain  administrative  privilege  on  all  devices,  have  real¬ 
time  access  to  all  changes  made  on  their  behalf  and  dictate 
change  control. 

FEWER  PEOPLE,  LESS  TIME,  FRACTION  OF  THE  COST 

“No  security  expert  knows  your  company’s  challenges  and  envi¬ 
ronment  better  than  the  people  who  are  currently  supporting  it,” 
says  Zupan.  “With  co-managed  security  services,  you  can  add 
experience,  expertise,  and  energy  without  changing  policy  or  stan¬ 
dards.  It  delivers  a  mature  operational  model  with  years  of 
automation  and  enterprise  experience,  while  enabling  an  organiza¬ 


tion  to  manage  its  security  infrastructure  the  way  it  wants ...  with 
fewer  people,  in  less  time,  and  at  a  fraction  of  the  cost,”  he  adds. 

It  also  delivers  the  freedom  to  be  productive,  according  to  an 
IT  executive  at  a  Fortune  500  Pharmaceutical  company  currently 
using  e-DMZ’s  CSS  offering,  who  says  it  has  given  “our  engineers  the 
freedom  to  move  forward  with  planning  and  architecture  concerns 
for  our  perimeter  security  systems  without  having  the  worry  of 
ensuring  that  day-to-day  responsibilities  are  completed.” 

e-DMZ  Security’s  experience  supporting  highly  regulated 
industries  is  reflected  in  its  own  CSS  methodology  and  services. 
All  of  e-DMZ’s  processes  include  dual  control  mechanisms  and 
optimize  availability  as  well  as  strong,  auditable  processes  and 
the  commitment  to  never  pass  an  unencrypted  packet.  e-DMZ’s 
list  of  services  includes  co-managed  firewall  service,  co-man- 
aged  intrusion  detection  services,  co-managed  Unix  security,  and 
ESMS+,  a  unique  highly  automated  security  solution  ideal  for 
small  to  mid-size  organizations. 

For  more  on  co-managed  security,  visit  www.e-dmzsecurity.com. 

ellzl 


SECURITY 


Your  Information  Security  Ally™ 


Web  server  shields.  For  environ¬ 
ments  where  trusted  OSs  are  too  intru¬ 
sive,  Web  server  shields  such  as  those 
from  Entercept  Security  Technologies, 
Watchguard  Technologies  and  eEye 
Digital  Security  offer  more  flexibility 
by  enabling  control  over  Web  servers 
to  be  customized.  eEye  Digital  Securi¬ 
ty’s  SecurellS  protects  against  such 
Web  server  attacks  as  buffer  overflows, 
directory  traversals  and  parser  evasions. 

SOLUTION:  BRING  IT  ALL  TOGETHER 

A  number  of  vendors  have  begun  com¬ 
bining  key  information  security  solu¬ 
tions  into  single  appliances  of  many 
varieties,  making  it  easier  for  organiza¬ 


tions  large  and  small  to  field  central¬ 
ized  but  flexible  platforms  that  can 
handle  multiple  security  requirements. 

For  instance,  Ingrian  Networks’ 
offers  an  integrated  security  platform 
that  encompasses  authentication, 
encryption,  cryptographic  key  man¬ 
agement,  real-time  application  protec¬ 
tion,  secure  storage  and  audit  func¬ 
tions. 

Nokia’s  enterprise-oriented  IP530 
—  which  is  integrated  with  Check 
Point’s  VPN- 1  /Fire Wall- 1  software  — 
delivers  VPN,  firewall  and  intrusion 
detection  capabilities.  And  Internet 
Security  Systems  (ISS)  has  teamed  with 
Nokia  to  turn  out  RealSecure,  an  IDS 


appliance  built  on  Nokia  firewall 
resources. 

FTI,  which  offers  financial  restruc¬ 
turing,  litigation  support  and  engi¬ 
neering/  scientific  investigation  servic¬ 
es,  needed  to  link  all  offices  to  its 
intranet  and  set  up  “war  rooms”  for 
clients  on  a  separate,  secure  extranet. 
The  solution  replaced  a  frame  relay 
network  with  a  Check  Point  virtual  pri¬ 
vate  network  (VPN)  and  Nokia’s  net¬ 
work  security  appliances.  FTI  runs  the 
new  network,  including  client  war 
room  sites,  for  60  percent  less  than  the 
cost  of  a  frame  relay  design,  enabling 
the  firm  to  see  ROI  within  a  year. 

“Many  corporate  security  initia- 


STRATEGIC  DIRECTIONS  17 


CIO  ADVERTISING  SUPPLEMENT 


SECURITY:  NEW  REALITY  CHECK  I  REAL  SOLUTIONS 


tives  include  the  implementation  of 
intrusion  detection  systems  through¬ 
out  the  network,”  says  Dan  MacDon¬ 
ald,  vice  president  for  product  man¬ 
agement,  at  Nokia  Internet 
Communications.  “While  implement¬ 
ing  IDS  systems  in  remote  offices  is 
critical  to  achieving  robust  security,  tra¬ 
ditional  approaches  are  not  feasible  due 
to  complex  integration  and  virtually  no 
remote  management  capabilities.” 

SOLUTION:  IDENTITY  MANAGEMENT/ 
SINGLE  SIGN-ON 

Multiplicity  is  doing  a  number  on  the 
ability  of  organizations  to  manage  how 


users  are  granted  access  to  information 
and  applications.  User  information 
resides  in  too  many  locations  (databas¬ 
es,  directories,  operating  systems)  and 
gets  managed  by  too  many  different 
utilities  (portals,  access  management 
tools,  platform-specific  admin  tools, 
password  management  tools). 

Technologies  that  enable  IT  staff 
to  centrally  manage  user  accounts  and 
access  rights  across  diverse  IT  environ¬ 
ments  and  platforms  offer  impressive 
ROI.  Gartner  Group  reports  three - 
year  payback  at  triple-digit-percent 
levels,  achieved  chiefly  by  staff  reduc¬ 
tions  in  helpdesk,  security  administra¬ 


tion  and  application  development 
functions. 

Computer  Associates’  /Trust 
Identity  Management  solutions,  for 
instance,  integrates  single  sign-on 
with  a  variety  of  techniques  —  includ¬ 
ing  PKI,  biometrics  and  hardware 
tokens  —  into  a  user  management 
process  that  spans  applications  and 
environments,  cuts  costs  via  Web- 
based  self-administration,  and  stays 
flexible  because  of  an  extensible  iden¬ 
tity  directory. 

The  payback  can  be  significant.  A 
study  conducted  by  Gartner  and  spon¬ 
sored  by  Ernst  &  Young  LLP, 


EMERGING  TECHNOLOGIES,  EMERGING  RISKS 


The  rapid  growth  of  electronic  business  processes  and  the 
technology  to  support  them  has  introduced  a  new  level  of 
complexity  to  managing  security  enterprisewide,  says  Brian 
Bilodeau,  vice  president  for  data  movement  solutions  at 
Sterling  Commerce.  “Not  only  do  processes  span  business 
units  within  an  organization,”  he  says,  “but  they  also  extend 
outside  to  include  customers,  suppliers,  financial  institutions, 
business  partners,  governmental  and  regulatory  agencies, 
and  other  constituencies.” 

That’s  not  all.  Extended  business  processes  involve  shar¬ 
ing  of  data  among  the  participating  constituencies  and  soft¬ 
ware  applications  that  implement  elements  of  a  business 
process,  Bilodeau  notes.  Implementing  an  electronic  business 
process  requires  CIOs  to  build  an  infrastructure  that  enables 
the  automated  movement  of  data  while  addressing  all  the 
requirements  for  securing  data. 

Bilodeau  points  to  the  use  of  FTP  for  ad  hoc  transfer  of 
business  data.  Even  when  users  encrypt  the  data  before 
transferring,  the  use  of  FTP  creates  a  high  security  risk 
because  security  information,  such  as  user  IDs  and  pass¬ 
words,  is  often  stored  and  transmitted  in  clear  text.  “CIOs  and 
CSOs  must  look  for  ways  to  secure  the  use  of  FTP  within  their 
enterprise,”  Bilodeau  says. 

Here  are  some  suggestions  for  securing  some  of  the  pop¬ 
ular  new  technologies: 

SECURE  DATA  EXCHANGE 

<  range  of  options,  from  classic  electronic  data  interchange 
(EDI)  to  Internet-based  data  interchange  with  or  without 


added  capabilities  (such  as  project  management)  are  avail¬ 
able  from  providers  like  Global  exchange  Services,  Inovis, 
Sterling  Commerce  and  QRS  Corp. 

Sterling  Commerce’s  Connect:Direct  offerings,  for 
instance,  feature  assured  data  delivery,  checkpoint/restart, 
cryptographic  suite  for  authentication,  encryption  and  data 
integrity,  firewall  navigation  and  data  compression. 

Others,  such  as  Sigaba,  offer  secure  messaging  solutions 
with  configurable  policies  that  permit  administrators  to 
determine  which  messages  are  encrypted,  archived  or  flagged 
for  further  review. 

CONTROL  I.M.  OR  EXTERMINATE  IT 

The  immense  popularity  of  instant  messaging  and  other  peer- 
to-peer  technologies  puts  pressure  on  IT  staff  to  do  something 
about  the  security  challenges  they  pose.  By  2006,  says  IDC, 
almost  half  of  the  506  million  IM  users  will  be  in  businesses.  Yet 
widely  used  IM  freeware  (from  AOL,  Microsoft,  Yahoo)  is  virtu¬ 
ally  unsecured.  They  transmit  data  in  the  clear;  they  bypass 
firewalls,  antivirus  scanners  and  intrusion  detection  systems. 
You  can  try  to  keep  IM  use  in-house  (good  luck).  Network  intru¬ 
sion  detection  systems  can  be  used  to  monitor  all  traffic  tra¬ 
versing  a  firewall  and  spot  known  IM  traffic  patterns.  Network 
recording  systems,  such  as  those  from  Sandstorm  or  Niksun, 
can  also  do  the  trick. 

Or  insist  that  an  enterprise-oriented  IM  solution  —  such 
as  IBM’s  Lotus  Sametime  or  Sigaba’s  Secure  IM  —  be  used. 
These  build  encryption,  authentication  and  LDAP  integration 
into  the  IM  solution. 


18  STRATEGIC  DIRECTIONS 


CIO  ADVERTISING  SUPPLEMENT 


Microsoft,  Netegrity  and  Protiviti  con¬ 
cluded  that  a  business  of  10,000 
employees  deploying  an  automated 
provisioning  solution  could  see  an  ROI 
approaching  300  percent  and  savings 
of  $3.5  million  in  three  years.  A  busi¬ 
ness  with  50,000  employees  imple¬ 
menting  an  extranet  access  manage¬ 
ment  solution  can  expect  an  ROI  of 
375  percent  in  three  years. 

Real-world  results  are  impressive, 
too.  A  survey  of  145  U.S.  companies 
by  Nervewire  found  that  38  percent 
anticipate  a  fivefold  return  on  their 
identity  management  solution  invest¬ 
ments,  thanks  mostly  to  achieving 
improved  customer  service,  which  pro¬ 
duces  higher  customer  satisfaction  and 
better  customer  retention. 

SOLUTION:  THREAT  MANAGEMENT 
SYSTEMS. 

“Many  organizations  of  all  sizes  have 
been  overwhelmed  with  security  man¬ 
agement  and  the  difficulties  in  pro¬ 
tecting  themselves  across  the  extend¬ 
ed  enterprise  in  a  cost-effective 
manner,”  says  Tom  Noonan,  chair¬ 
man,  president  and  CEO  of  Internet 
Security  Systems  (ISS). 

“The  best  approach  to  security 
enables  organizations  to  proactively 
protect  against  potential  security  risks 
when  vulnerabilities  are  first  discovered 
and  before  threats  can  become  active 
attacks,”  says  Noonan.  “The  result  is 
more  effective  resource  planning  and 
timely  response  to  both  known  and 
unanticipated  threats  with  minimal 
impact  on  production  systems  or  daily 
business  operations.” 

All  the  events  reported  by  all  secu¬ 
rity  systems  have  been  gathered  and 
distilled  manually  for  some  time.  But 
the  volume  and  complexity  of  security 
data  makes  such  manual  event  correla¬ 
tion  impossibly  costly. 

Security  information  management 
systems  work  in  the  background  24/7 


SECURITY:  NEW  REALITY  CHECK  I  REAL  SOLUTIONS 


CASE  STUDY 


e  put  a  tremendous 
emphasis  on  security, 
as  do  our  client 
banks,”  says  David  E. 
McCampbell,  senior 
vice  president  and 
CTO  at  Magnet  Communications,  a  provider  of 
Web-based  cash  management  and  business 
banking  solutions  to  the  nation’s  top-perform¬ 
ing  financial  institutions. 

Not  surprisingly,  security  was  a  critical  ele¬ 
ment  McCampbell  and  his  team  used  to  evalu¬ 
ate  the  software  it  needed  to  support  Magnet’s 
ASP  business.  After  an  in-depth  review,  reports 
McCampbell,  Magnet  chose  Sterling 
Commerce’s  Connect:Direct  (a  peer-to-peer 
file-based  integration  software  solution)  and 
Connect:Direct’s  highly  versatile  Secure-*- 
Option  for  data  confidentially,  message  integrity, 
server  authentication  and  client  authentication. 

BEYOND  A  SHADOW  OF  A 
DOUBT 

“Secure+  is  a  key  component  of 
Connect:Direct  for  us  and  for  many  of  our 
client  banks,”  says  McCampbell.  “With 
Secure+,  we  know  —  and  our  client  banks 
know  —  that  data  is  in  the  most  secure  fash¬ 
ion  when  it’s  being  transferred  by  Internet  or 
over  frame  relay.” 

According  to  McCampbell,  Secure+  pro¬ 
vides  “plenty  of  mutual  authentication”  by 
making  use  of  such  technologies  as  digital  sig¬ 
natures  and  SSL  for  data  encryption. 

“So,  if  I’m  sending  data,  you  know  and  I 
know  that  you  and  I  are  talking  to  each  other; 
in  other  words,  I  know  you’re  the  only  one  see¬ 
ing  it,”  he  explains. 

Moreover,  he  says,  Secure+’s  use  of 
industry  accepted  hashing  algorithms  make  it 
impossible  to  tamper  with  the  data  as  it’s 
being  transmitted. 

“This  is  critical  financial  information  being 


David  E.  McCampbell 
Senior  vice  president  and  CTO 
Magnet  Communications 


transmitted  between  Magnet  and  our  client 
banks  —  multimillion-dollar  wire  transfers, 
stop  payments,  balance  information,  payroll 
and  tax  information  —  and  we  must  be  able  to 
ensure  beyond  a  shadow  of  a  doubt  that  no 
tampering  has  occurred  during  the  transmis¬ 
sion  and  transfer  of  the  data.  Secure-*-  gives 
us  that  confidence.” 

Magnet,  which  has  been  using  the 
Connect:Direct  and  Secure-*-  combination 
since  2000,  is  extremely  pleased  with  the  per¬ 
formance  of  Sterling  Commerce’s  products. 

“We’ve  seen  no  degradation  in  service;  it 
just  hasn’t  been  an  issue.  Performance  has 
been  great,  very  efficient,  very  reliable  and 
there  hasn’t  been  much  in  the  way  of  on-going 
maintenance,”  he  says. 

McCampbell,  however,  saves  his  greatest 
praise  for  Sterling  Commerce’s  support. 

“They  excel  at  training,  act  like  a  partner 
not  a  vendor,  and  take  responsibility  for  quick¬ 
ly  addressing  any  issues  that  arise  —  you 
can’t  ask  for  much  more,”  he  says. 


For  more  information,  contact  Sterling 
Commerce  at 

www.sterlingcommerce.com. 


STRATEGIC  DIRECTIONS  19 


CIO  ADVERTISING  SUPPLEMENT 


SECURITY:  NEW  REALITY  CHECK 


REAL  SOLUTIONS 


doing  dynamic  risk  correlation  —  con¬ 
solidating  all  security  data  and  translat¬ 
ing  inputs  into  a  homogenous  set  of 
events  that  are  analyzed  with  an  assort¬ 
ment  of  techniques  to  identify  threat 
conditions.  Because  these  automated 
systems  can  handle  many  inputs, 
defense  in  depth  and  breadth  is  feasi¬ 
ble.  And  because  IT  staff  get  results  in 
real  time,  threat  intervention  can  be 
timely  and  effective.  Furthermore,  the 
comparative  metrics  generated  enable 
early  detection  of  changing  conditions 
and  patterns. 

ISS’s  RealSecure  Site  Protector,  for 
instance,  combines  intrusion  detection, 
prevention  and  response  as  well  as  vul¬ 
nerability  assessment,  policy  compli¬ 
ance,  and  data  collection  and  analysis 
—  all  of  which  is  accessible  via  a  cen¬ 
tralized,  policy-based  management 
console. 

SOLUTION:  INTEGRATED  SECURITY 
MANAGEMENT 

The  complex  heterogeneous  network 
and  application  environments  that  are 
necessary  for  empowering  e-business 
have  spawned  equally  intricate  security 
and  management  processes.  Imple¬ 
menting  security  policies  across  such 
environments  while  maintaining  an 
appropriate  balance  between  business 
performance  and  risk  mitigation  is 
proving  difficult.  Moreover,  in  too 
many  organizations,  managing  user 
access  rights  means  juggling  multiple 
directories,  user  lists,  password  lists, 
application  access  lists  and  password 
reset  activities. 

“CIOs  and  CSOs  are  suffering 
from  security  information  management 
overload,”  says  Toby  Weiss,  senior  vice 
president  for  /Trust  Security  Solutions 
at  Computer  Associates.  “Millions  of 
messages  from  firewalls,  VPNs,  antivirus 
products,  access  control  products,  direc¬ 
tories,  etc.,  cause  them  to  suffer  from  a 
signal-to-noise  problem.”  SD 


THE  VALUE  OF  PRIVACY 

WHILE  PROTECTING  YOUR  ASSETS,  BE  SURE  TO 
RESPECT  YOUR  CUSTOMERS’  PRIVACY,  TOO 

Stories  abound  of  organizations  tempted  by  all  that  customer  information 
into  violating  their  customers’  trust  —  even  if  they  figure  out  ways  around 
corporate  privacy  policy.  The  stories  generally  end  badly  for  the  organiza¬ 
tions,  leading  to  the  conclusion  that  not  respecting  customer  preferences 
about  how  their  information  is  used  too  often  turns  into  a  costly  mistake. 
Similarly,  not  protecting  that  information  sufficiently  can  also  be  costly. 
Customer  fears  about  privacy  are  starting  to  shape  their  purchasing  deci¬ 
sions.  IBM  found  in  a  recent  study  that  54  percent  of  U.S.  consumers  have 
chosen  not  to  buy  something  from  a  company  because  they  were  unsure 
about  how  their  personal  information  would  be  used,  and  70  percent  want  to 
see  a  website’s  privacy  notice  before  buying. 

“To  maintain  a  positive  reputation  and  trust  between  organization  and 
customers,  enterprises  must  make  privacy  a  top  priority,”  says  Jim  Dunn, 
network  manager  at  Citywide  Banks  in  Aurora,  Colo. 

“CIOs,  CSOs,  and  their  companies  should  think  of  their  customers  first, 
before  any  legal  responsibility,”  Dunn  says.  “This  should  be  first  and  fore¬ 
most  for  any  company  that  respects  their  customers  and  wants  to  foster 
trusted  long-term  relationships  with  them.” 

Dunn  notes  that  SEC  and  regulations  such  as  HIPAA  for  health-care 
organizations  and  the  Gramm-Leach-Bliley  (GLB)  Act  in  the  financial  servic¬ 
es  sector  mandate  that  effective  privacy  measures  be  put  in  place,  and 
companies  are  being  audited  on  their  compliance  —  with  stiff  penalties 
being  imposed  for  failure  to  comply. 

Cultivating  trust  begins  with  an  information  privacy  policy  that 
respects  customer  preferences.  Some  considerations: 

Opt-out  defaults  indicate  greater  concern  for  customer  wishes  than 
more  aggressive  opt-in  defaults  that  assume  customers  grant  permission 
for  further  contact  (the  consolation:  when  customers  choose  to  opt  in, 
they’re  likelier  to  respond  to  contact). 

Frequent  communication  with  customers  helps  ensure  that  informa¬ 
tion-use  practices  remain  acceptable. 

Regular  audits  make  it  easier  to  track  what  data  is  being  gathered,  how 
it’s  used,  and  how  it’s  secured. 

Dunn  suggests  using  a  combination  of  policy  and  technology.  For  exam¬ 
ple,  each  document  can  be  sent  with  a  notice  that  the  recipient  is  responsi¬ 
ble  for  maintaining  the  privacy  and  confidentiality  of  the  message.  The 
administrator  can  also  set  a  policy  that  the  message  cannot  be  stored  in 
decrypted  form,  thus  reducing  the  possibility  that  an  unauthorized  recipi¬ 
ent  could  gain  access.  In  addition,  if  a  key  server  is  being  used  in  secure  doc¬ 
ument  delivery,  the  key  can  be  set  to  expire  after  a  given  period  of  time. 


20  STRATEGIC  DIRECTIONS 


v 


ADVERTISING  SUPPLEMENT 


SECURITY  SOLUTIONS  CENTER 


STRATEGIC  DIRECTIONS  21 


CIO  ADVERTISING  SUPPLEMENT 


SECURITY:  NEW  REALITY  CHECK  |  THE  SECURITY  STRATEGY  IMPERATIVE 


Continued  from  page  6 

Internet  Security  Systems,  Computer 

Associates,  and  Foundstone. 

CREATING  A  SECURITY  POUCY 

You’ll  need  operational  policies  that 
are  customized  to  your  organization’s 
business  requirements,  so  you’ll  have 
a  set  of  rules-based  standards  for  man¬ 
aging  infrastructure  and  handling 
events. 

Such  policies  should  delve  into 
some  detail  and  include  rules  about 
such  issues  as  which  services  to  disable, 
which  operating  systems  (OSs)  to 
harden  and  which  systems  the  network 
can  access. 

Make  sure  you  know  that  policies 
are  being  followed.  Assessment  tools, 


such  as  Internet  Security  System’s 
Scanner  offerings,  can  help  spot  prob¬ 
lems  and  send  alerts.  Computer  Asso¬ 
ciate’s  cTrust  Policy  Compliance  mon¬ 
itors  systems  and  databases,  and 
provides  auditing  and  correction  of 
security  breaches. 


“My  advice,”  says  Toby  Weiss, 
senior  vice  president  for  cTrust  securi¬ 
ty  solutions  at  Computer  Associates, 
“is  to  build  off  of  best  practices,  con¬ 


stantly  review  the  policy  and  audit,  and 
assess  its  enforcement.”  Most  compa¬ 
nies  have  a  corporate  policy  document, 
but  the  challenge  is  how  to  turn  that 
document  into  IT  security  policy,  auto¬ 
matically  enforce  and  audit  that  policy, 
and  loop  back  and  improve  the  policy. 


Ancient  military  wisdom  can  be 
grimly  simple:  Several  tiers  of  defense 
are  better  than  one. 

This  means  planning  not  only  for 


ANCIENT  MILITARY  WISDOM 

CAN  BE  GRIMLY  SIMPLE: _ 

SEVERAL  TIERS  OF  DEFENSE 
ARE  BETTER  THAN  ONE. _ 


BUSINESS  CONTINUITY: 

THE  DARK  SIDE  OF  SECURITY  PLANNING 


Of  the  more  than  $40  billion  that  insurance  companies 
paid  out  because  of  the  September  11  attacks,  more  than 
25  percent  —  $11  billion  —  was  for  claims  relating  to  busi¬ 
ness  interruption. 

Some  industry  experts  say  that  among  organizations 
that  suffer  significant,  sustained  disasters,  20  percent  are 
completely  out  of  business  within  24  months. 

Yet  many  companies  simply  don’t  have  disaster 
recovery/business  continuity  plans.  Many  of  those  who  do 
have  allowed  them  to  become  out  of  date.  Still  other  plans 
have  dangerously  ignored  key  human  factors. 

To  ensure  your  organization’s  survivability,  you’ll 
need  a  business  continuity  plan  that  is: 

■  Based  on  the  best  possible  understanding  of  the  surviv¬ 
ability  risks  faced  by  your  organization.  This  includes 
reviewing  assumptions  about  the  risks  your  enterprise 
faces,  and  don’t  forget  about  partners,  suppliers,  cus¬ 


tomers.  Since  organizations’  security  requirements  are 
unique,  Robert  Francis  Group  recommends  that  CIOs  and 
CSOs  develop  business  application  profiles  that  define 
security  requirements  for  each  application  or  area, 
including  database,  file,  e-mail  and  Web  servers. 

■  Up  to  date  and  comprehensive,  identifying  and  tackling 
all  potential  points  of  failure. 

■  Addressing  technology  issues  in  terms  of  business  oper¬ 
ations.  These  include  rapid  restoration  of  operations,  crit¬ 
ical  technologies  and  personnel. 

■  Developed  with  the  input  and  support  of  line-of-business 
managers  and  key  constituencies,  since  the  plan  will  be 
expected  to  work  across  the  organization,  not  just  among 
IT  staffers. 

■  Tested  and  refined  —  and  then  regularly  re-tested  and 
re-refined  thereafter,  especially  with  every  substantive 
change  in  infrastructure  and  processes.  Expect  to  modify 
vendor  relationships  along  the  way. 


22  STRATEGIC  DIRECTIONS 


CIO  ADVERTISING  SUPPLEMENT 


SECURITY:  NEW  REALITY  CHECK  I  THE  SECURITY  STRATEGY  IMPERATIVE 


multiple  layers  of  carefully  positioned 
and  configured  security  technology 
solutions  at  both  the  host  and  network 
level  —  such  as  firewall,  intrusion  detec¬ 
tion  systems  and  antivirus  software  —  it 
also  means  layering  authentication  pro¬ 
cedures;  continuously  monitoring  and 
patching  systems  networks  and  applica¬ 
tions;  and  handling  people  (paying 
attention  to  the  discontented,  for 
instance). 

PROTECTING  YOUR  ASSETS 

“Face  it,”  says  MIT’s  Foss,  “people 
write  software  programs  and  people 
make  mistakes.  There  will  always  be 
security  issues  in  software.” 

The  question,  then,  is  how  to  keep 
them  from  doing  harm. 

Meta  Group’s  Byrnes  has  these 
suggestions: 

■  BUILD  DESIGN  STANDARDS  for  various 
identified  security  level  requirements. 
Development  teams  should  self-certify 
against  the  design  standards  for  that 
level. 

■  APPLICATION  DEVELOPMENT  TEAMS 
SHOULD  USE  DEFINED  METHODS  for  gath 
ering  security-level  information  from 
application  owners  in  the  business 
units. 

■  EITHER  THE  INFORMATION  SECURITY 
DEPARTMENT  OR  INTERNAL  AUDIT  SHOULD 
SPOT  CHECK  for  compliance. 

■  PRE-PRODUCTION  Q.A.  TESTING  SHOULD 
INCLUDE  COMMON  SECURITY  FAILURE 
TEST. 

The  bottom  line  of  security  strate¬ 
gy:  Think  ahead. 

“Don’t  just  think  about  what  you 
need  today,”  suggests  Jim  Dunn,  net¬ 
work  manager  of  Citywide  Banks  in 
Aurora,  Colo.  “Think  about  what  you’ll 
need  years  down  the  road  as  you  grow 
and  become  more  sophisticated,  so  that 
you  can  leverage  your  existing  invest¬ 
ments  and  scale  them  broadly  and  for 
many  more  uses.  ”  SD 


Security  is  hard.  It  requires 
tremendous  technical  expert¬ 
ise,  is  expensive  to  do  well 
and  is  rarely  part  of  an  orga¬ 
nization’s  core  business 

L . _ . .  model.  In  addition,  the  online 

threat  spectrum  continues  to  evolve  with 
sophisticated  hybrid  attacks  that  can  circum¬ 
vent  firewalls  and  antivirus  technology. 

No  one  doubts  the  need  for  secure  online 
business  operations.  The  challenge  is  how  to 
do  so  efficiently  and  effectively.  That’s  where 
the  Dynamic  Threat  Protection  approach  pro¬ 
vides  a  clear  advantage  over  other  security 
methods. 

TO  PROACTIVELY  PROTECT  AND 
SECURE 

The  Dynamic  Threat  Protection  approach  is 
the  natural  evolution  of 
Internet  Security  Systems’ 

(ISS)  market-leading  vul¬ 
nerability  assessment, 
intrusion  detection  and 
security  knowledge  offer¬ 
ings.  After  all,  effective 
protection  requires  the 
best  analysis,  detection 
and  response  possible. 

Dynamic  Threat  Protection  enables  com¬ 
panies  to  proactively  protect  against  potential 
security  risks  when  vulnerabilities  are  first 
discovered  and  before  threats  become  active 
attacks.  This  combination  improves  the  value 
of  each  security  dollar  invested,  especially 
for  extended  enterprises  with  many  gateway 
devices,  a  lot  of  remote  or  mobile  workers, 
and  a  strong  need  for  centralized  administra¬ 
tion  and  control. 

Dynamic  Threat  Protection  requires  three 
essential  steps.  Implement  best-in-class  pro¬ 
tection  technology.  Deploy  that  technology 


with  platform  coverage  across  the  entire 
enterprise.  Establish  up-to-date  readiness  to 
combat  new  threats. 

KEY  ADVANTAGES  OVER 
MANUAL  AND  POINT 
SOLUTIONS 

This  approach  leads  to  three  key  advantages 
over  the  manual  methods  and  disparate  point 
solutions  prevalent  in  the  marketplace  today: 

■  ACCURACY  —  The  Dynamic  Threat 
Protection  approach  rapidly  and  accurately 
detects  attacks  and  minimizes  false  positives. 

■  PERFORMANCE  —  Dynamic  Threat 
Protection  offerings  operate  at  increasingly 
rapid  line  speeds  across  the  network,  and 
scale  from  workgroups  to  multinational 
organizations  with  many  locations. 

■  LOW  TOTAL  COST  OF  OWNERSHIP  (TCO) 
—The  Dynamic  Threat 
Protection  approach  sig¬ 
nificantly  lowers  TCO  by 
minimizing  the  need  for 
manual  intervention  in  the 
security  process  and 
automating  the  discovery 
and  repair  of  potential  vul¬ 
nerabilities. 

Available  only  through 
ISS  and  its  partners,  products  and  services 
based  on  the  Dynamic  Threat  Protection 
approach  give  security  staff  the  ability  to 
quickly  concentrate  efforts  on  the  most 
urgent  issues.  The  end  result  is  more  effec¬ 
tive  resource  planning  and  timely  response  to 
both  known  and  unanticipated  threats  with 
minimal  impact  on  production  systems  or 
daily  business  operations. 


To  learn  more  about  Internet  Security 
Systems  and  Dynamic  Threat  Protection, 
please  visit  www.iss.net  or  call  888.901.7477. 


© 

Internet 

Security 

Systems" 


STRATEGIC  DIRECTIONS  23 


WM  ■■■■■■■■■■■ 

In  a  world  where  there’s  a  different  kind  of  threat  every  day,  you  need  a  different  kind  of  security. 

New  threats  can  blow  right  through  any  firewall  or  anti-virus  software.  That's  where  we  come  in.  Our  dynamic  protection 
helps  you  conduct  business  safely  in  the  face  of  ever-changing  threats  and  increased  risk.  From  proactive  research  and 
award-winning  software  to  24/7  protection  and  response  services,  our  solutions  detect,  prevent  and  respond  to  online 
attacks  and  misuse.  No  matter  who  you're  up  against.  To  learn  more,  call  800-776-2362.  Or  visit  www.iss.net/ad/ciomag. 


Q 

Internet 

Security 

Systems' 


New  Publication 

[But  you  already  knew  that,  didn’t  you?] 

CSO  magazine  is  the  proud  recipient  of  the  prestigious 
2003  Jesse  H.  Neal  Award  for  "Best  New  Publication.” 

CSO  was  also  honored  as  first  runner-up  to  sister 
publication  CIO  magazine  for  the  Grand  Neal  Award— 


the  top  editorial  honor  granted  to  one  publication  frorrt 


more  than  1,000  entries  across  all  categories  and 
circulation  sizes.  This  marks  the  first  time  a  new 
publication  has  received  such  prestigious  recognition 


Often  hailed  for  its  preeminence  as  the 
"Pulitzer  Prize  of  the  business  press,"  the 
Neal  Award  is  the  business  publishing  indus¬ 
try’s  annual  salute  to  individual  editors  for 
outstanding  editorial  excellence. 

*  SOURCE:  CSO  MAGAZINE  "SECURITY  SENSOR  II," 

DECEMBER  2002 


so  early  on. 


The  Neal  Award  judges  aren’t  the  only  ones  who  value 
CSO  magazine.  98%  of  CSO  readers  find  the  content) 
of  CSO  relevant  to  their  jobs* 


UNISYS 


PRESENTS 


Roberta  Witty  is  a  research  director  in  Gartner's  information 
security  strategies  group.  Prior  to  joining  Gartner,  Ms.  Witty 
managed  the  global  technology  risk  management  function  for 
the  corporate  trust  business  of  Chase  Manhattan  Bank. 


THE 


EXPERT 


A  few  minutes  with  Roberta  Witty,  Research  Director, 
Information  Security  and  Privacy,  Gartner  Group 


Security  Risks  and  Solutions  in  Financial  Services 


>  Coiiid  you  please  assess  the  state  of  security 
across  the  financial  services  industry  -  banking, 
brokerages  and  insurance  companies? 

Financial  services  tends  to  be  one  of  the  industries  with 
better  information  security  protection.  For  one  thing, 
these  businesses  are  highly  electronic  and  automated;  and 
more  importantly,  they  are  regulated.  Unlike  manufactur¬ 
ing,  they  don’t  produce  a  physical  asset;  they’ve  used  com¬ 
puters  to  generate  and  deliver  their  business  processes  for 
a  long  time;  and  because  they’re  dealing  with  money,  they 
must  protect  their  assets.  Information  security  is  already  a 
key  part  of  their  business  continuity  plans. 

In  general,  banks,  brokers  and  insurance  companies 
have  fairly  mature  information  security  programs.  To  a 
large  extent,  they’re  better  positioned  than  many  indus¬ 
tries.  But  they’ve  also  got  more  to  lose.  They’re  in  the 
risk  game,  so  risk  is  a  part  of  their  culture. 

>  What  are  some  of  the  unique  risks  financial 
institutions  face? 

Because  they’ve  externalized  a  lot  of  their  business 
processes  to  the  Internet,  they’ve  opened  themselves 
up  to  new  external  risks.  To  protect  their  perimeter, 
they’ve  invested  in  firewalls,  intrusion  detection  and 
virus  protection.  And  now  with  web  services,  where 
messages  can  bypass  firewalls  and  other  standard  pro¬ 
tections,  they’re  starting  to  invest  more  in  transaction- 
level  and  program-to-program  security  measures.  Wire¬ 
less  technologies  also  present  a  whole  new  set  of 
security  problems  that  haven’t  all  been  resolved.  In 
some  companies,  you’re  actually  seeing  laptops  installed 
on  mail  carts  so  that  as  mailroom  clerks  deliver  mail, 
they  can  monitor  and  look  for  [rogue]  wireless  net¬ 
works  throughout  the  company. 

>  What  new  types  of  security  measures  have  finan¬ 
cial  institutions  implemented  recently? 

There’s  been  an  increased  focus  on  encryption  technolo¬ 
gies  because  network  connections  are  now  exposed. 
Intrusion  detection  systems  are  not  working  the  way 
people  thought  they  would  —  there  is  a  lot  of  activity 
and  a  lot  of  access  points  to  monitor,  the  skill  set  is  not 
always  available  within  the  enterprise  to  analyze  the  data, 
and  why  put  all  that  effort  in  for  something  that  has 
already  happened?  Therefore,  the  focus  is  shifting  to  pre¬ 
venting  the  incident  rather  than  just  tracking  it.  Due  to 


regulatory  compliance  from  both  GLB  and  Sarbanes- 
Oxley,  companies  are  also  starting  to  invest  in  identity 
and  access  management  systems  -  one  of  the  few  areas 
where  one  can  achieve  demonstrable  ROI  through  pro¬ 
ductivity,  cost-savings  and  headcount  reduction. 

>  Who  have  been  the  fast-movers  among  financial 
institutions  to  embrace  and  implement  the  most 
innovative  security  measures? 

Brokerages  and  the  cash  management  departments  of 
banks  have  always  had  very  strong  information  security 
practices  because  of  the  sheer  dollar  volumes  they 
process.  They’ve  been  long-time  users  of  encryption 
technologies,  and  are  more  invested  in  using  strong 
authentication  technology.  Banks,  because  of  regulations, 
have  very  strong  business  continuity  programs.  Post- 
September  I  I,  the  SEC  and  the  Federal  Reserve  are 
looking  to  further  strengthen  the  financial  markets’  ability 
to  recover  from  an  event  that  impacts  the  industry. 

>  What’s  your  advice  to  CSOs  who  need  to  plan 
and  execute  their  security  strategies? 

The  regulations  that  financial  services  firms  need  to  com¬ 
ply  with  -  GLB,  Basel  Accord  II,  and  the  Turnbull  Report 
to  name  a  few,  are  putting  the  spotlight  on  information 
security  and  business  continuity,  with  the  added  focus  of 
enterprise  risk  management.  This  will  make  the  CSO’s 
job  easier.  But  it  is  still  an  uphill  battle  for  funding  and 
human  resources  -  qualified  personnel  are  not  easily 
found  outside  of  large  urban  centers.  There  was  a  time 
when  being  the  business  continuity  manager  was  your 
last  job  within  the  firm  before  they  showed  you  the  door 
—  that’s  no  longer  the  case.  CSOs  need  to  have  a  con¬ 
versation  with  senior  executives  in  order  to  align  the 
information  security  program  with  their  business  objec¬ 
tives  and  to  understand  how  much  the  company  is  will¬ 
ing  to  risk.  This  will  help  prioritize  the  rollout  of  their 
strategy.  If  they  approach  information  security  as  just  a 
technology  implementation,  they  will  fail. 


For  more  information,  please  call  800-874-8647  x381 
or  visit  www.unisys.com/financial 

UNISYS 

Imagine  it.  Done. 


Three  of  the  world’s 

'  y  -  fe* 

largest  banks  open 
every  day  in  the  U.K 
because  of  what  -it  j 


Outsourcing 


we  do  every  night 


Infrastructure 


Consulting 


Imagine  it: 

Business  process  operations  outsourced  so 
efficiently,  all  parties  now  save  money  on  a  job 
that  once  consumed  their  time  and  effort.  That’s 
the  solution  Unisys  provided  Barclays,  HSBC 
and  Lloyds  TSB  for  processing  checks. 


Done: 

Unisys  worked  with  the  three  banking  rivals  to 
form  a  joint  venture  and  create  a  new  company 
to  do  their  nightly  check  processing.  The  joint 
venture  with  Unisys  now  handles  67%  of  all 
checks  in  the  U.K.  and  profits  all  parties. 
Having  collaborated  every  night,  they  open 
for  business  every  day.. .as  competitors. 


Imagine  it.  Done 


un.isys.  c  o  m  so  Op  /  A  a  &  A  f.  *  3  6  7 


*00;'  Utility''  Corvoujinw  tuusy>  *s.  ■  w/t #1  OiiOyty-vU  i  Conus  j  V 


The  Who,  What  and  Why  of  Washington 

Top  Billing 


Homeland  Melting  Pot 

The  government  consolidated  several  agencies  under  the  umbrella  of  homeland 
security,  a  move  some  fear  will  be  less  than  smooth  By  Julie  Hanson 


HEN  ORGANIZA- 
tions  consolidate,  it  often  means  that  services 
are  lost.  But  some  cybersecurity  experts 
believe  that  folding  three  security-focused 
government  organizations  into  the  monstrous 
Department  of  Homeland  Security  is  a  step 
in  the  right  direction. 

On  March  1,  approximately  300  employees 
of  the  National  Infrastructure  Protection 
Center  (NIPC),  National  Communications  Sys¬ 
tem  and  Federal  Computer 
Incident  Response  Center 
found  their  organizations  had 
been  dissolved.  They  now 
report  to  the  DHS’s  Informa¬ 
tion  Analysis  and  Infrastruc¬ 
ture  Protection  (LAIP) 
directorate.  “Fundamentally, 
there  was  a  recognition  that  in 
order  to  best  defend  the 
homeland,  we  needed  to 
consolidate  as  many  of  the 
elements  that  are  engaged  in 
this  defense  under  one  chain 
of  command,”  says  David 
Wray,  acting  communications 
director  for  the  IAIP. 

For  now,  Wray  says  that  little  will  change  in 
the  eyes  of  the  private  sector.  The  three  organi¬ 
zations’  websites  will  remain  up  for  the  time 
being,  and  they  will  continue  providing  serv¬ 
ices,  including  alerts,  bulletins  and  security 
advisories.  But,  the  IAIP  will  evaluate  these 
services,  looking  to  reduce  overlap  and  uncover 
any  gaps  in  cybersecurity  protection  where 
new  services  can  be  added.  Wray  adds  that  if 
you’ve  developed  a  relationship  with  someone 
from  one  of  these  now  dissolved  organizations, 
you  should  keep  it.  The  majority  of  staff  mem¬ 
bers  have  the  same  job  function. 

Government  organizations  are  not  the  only 
watchdogs  available  to  security  executives. 


Phyllis  Schneck,  chairman  of  Infragard— a 
partnership  between  the  FBI,  private  indus¬ 
try  and  academia— says  “the  formation  of  the 
DHS’s  [IAIP]  is  a  tremendous  asset  to  infor¬ 
mation  sharing  and  protection.”  Infragard, 
developed  by  the  NIPC  as  an  outreach  effort, 
has  nearly  8,000  members  in  56  chapters 
affiliated  with  FBI  offices  in  most  cities. 
Schneck  says  the  role  of  Infragard  will  not 
change. 

But  former  NIPC  head  Michael 
Vatis  says  some  recent  Bush 
administration  decisions  are  “seri¬ 
ously  regressing”  progress  made  in 
cybersecurity  research  and  devel¬ 
opment.  Vatis,  in  a  statement  to  a 
House  subcommittee,  says  many 
DHS  positions  responsible  for 
cybersecurity  policy-making  and 
outreach  to  private  industry  have 
yet  to  be  filled;  some  have  not  yet 
been  formally  nominated,  let 
alone  confirmed  by  Congress. 

Some  in  the  government  and 
private  sector  fear  that  the  transi¬ 
tioning  departments  may  suffer 
from  a  “not  my  job,  not  my  prob¬ 
lem”  attitude.  In  a  letter  penned  to  the  FBI, 
Sen.  Charles  Grassley  (R-Iowa)  conveyed  his 
unease  with  the  handling  of  an  investigation 
into  a  Boston-area  software  company.  Grass- 
ley  claims  that  the  FBI  may  not  have  done 
enough  to  ensure  that  the  computers  and  net¬ 
works  of  the  government  and  private  sector 
were  free  from  vulnerabilities  that  could  have 
come  from  the  company’s  software.  Grassley 
reminded  the  FBI  that  “until  the  NIPC  moves 
into  the  DHS,  it  is  still  the  FBI’s  responsibil¬ 
ity  to  serve  as  the  U.S.  government’s  focal 
point  for  threat  assessment,  warning,  investi¬ 
gation,  and  response  for  threats  and  attacks 
against  our  critical  infrastructures.”  ■ 


ONLINE  ACCESS 


Department  of  Homeland 
Security 

www.dhs.gov 

Infragard 

www.infragard.net 

The  SANS  institute 

www.sans.org 

National  Infrastructure 
Protection  Center 

www.nipc.gov 

Federal  Computer  Incident 
Response  Center 

www.fedcirc.gov 

National  Communications 
System 

www.ncs.gov 


NEWS  FROM  INSIDE  THE  BELTWAY 

Rep.  Mac  Thornberry  (R-Texas) 
has  been  appointed  chairman  of 
the  House  Homeland  Security 
Subcommittee  on  Cybersecurity, 
Science,  Research  &  Development. 
Goals  for  this  subcommittee  include  the 
development  of  short-  and  long-term 
R&D  programs  on  cybersecurity  tech¬ 
nologies.  Thornberry  is  also  a  member 
of  the  House  Armed  Services  and 
Budget  committees. 

Sen.  Joe  Biden  (D-Del.)  has  introduced 
the  Secure  Authentification  Fea¬ 
ture  and  Enhanced  Identification 
Defense  (SAFE  ID)  Act  of  2003. 

This  act  is  designed  to  prevent  the  cre¬ 
ation  of  false,  misleading  or  inaccurate 
government  IDs  by  making  it  illegal  to 
possess,  traffic  or  use  misleading 
authentification  features  often  seen  on 
IDs,  such  as  holograms  and  watermarks. 
Biden  hopes  this  bill  will  help  efforts  to 
combat  terrorism,  prevent  identity  theft 
and  curb  underage  drinking. 

Congress  is  reviewing  legislation  that 
directs  the  Federal  Communications 
Commission  to  assign  four  channels 
along  the  24MHz  spectrum  for 
emergency  use  only.  This  bill 
attempts  to  fix  a  loophole  that  allows 
television  stations  to  continue  to  use 
this  spectrum,  says  cosponsor  Rep. 

Curt  Weldon  (R-Pa.). 

A  report  by  research  firm  Zeichner  Risk 
Analytics  shows  that  36  states  have 
yet  to  prepare,  adopt  or  imple¬ 
ment  adequate  cybersecurity  poli¬ 
cies  as  required  by  Congress.  The 
report  also  concludes  that  during  the 
past  two  years,  state  governments  have 
fallen  even  further  behind  the  federal 
government  and  the  financial  services 
industry  in  their  development  of  cyber¬ 
security  programs. 


For  more  about  what’s  happening  in 
Washington,  visit  our  website  at 

www.csoonline.com/wonk. 


22  www.csoonline.com  May  2003 


PHOTO  BY  GETTYONE 


Use  our  sti 
Secure  She] 


www.  van 


r®T 

*  •  -s| 

i 

Security  Counsel 


Someone  to 
Watch  Over  You 

@Stake  CTO  Dan  Geer  answers  readers’  questions  about 
insurance  for  the  CSO 

Q:  Before  I  buy  infosecurity  malpractice  insurance  and  presumably  pay  pricey 
premiums,  I’d  like  to  know  that  someone’s  done  a  credible  job  of  defining  a 
standard  for  what  constitutes  malpractice.  Has  that  been  done?  And  by  whom? 

A:  Malpractice  insurance  would  assume  that  we  know  what  malpractice  is, 
and  we  simply  do  not— although  the  next-to-last  draft  of  the  National  Strategy 
to  Secure  Cyberspace  did  invite  the  licensure  of  security  professionals.  Absent 
licensure,  there  is  no  gating  competence  standard  for  security  professionals. 

The  only  other  standard  would  be  a  code  of  ethics  and  a  professional  body  to 
hold  the  stone  tablets  on  which  they  were  writ.  We  don’t  have  that  either. 

Hence  the  claim  that  we  do  not  know  what  malpractice  is,  at  least  not  in  the 
way  more  venerable  professions  do. 

What  we  do  have  is  liability  insurance,  such  as  Directors  and  Officers  (D&O) 
insurance  and  Errors  and  Omissions  (E&O)  insurance.  A  sole  practitioner 
really  does  need  some  sort  of  protection  from  professional  liability,  as  does  a 
consultancy,  both  probably  more  in  the  form  of  E&O.  There  is  not  yet  an  estab¬ 
lished  sense  of  what  constitutes  good  security  professional  work,  however,  and 
it  will  be  hard  to  define.  The  competence  standard  will  get  defined,  whether  or 
not  the  recommendations  for  licensure  fall  out  of  the  National  Strategy  (as  they 
did  under  lobbying  pressure).  In  the  case  of  D&O,  policies  do  differ,  but  it  is 
very  difficult  to  know  what  you  have  to  work  with.  For  example,  a  leading 
market  underwriter  has  a  war  exclusion  in  its  policy.  The  underwriter  classifies 
terrorism  as  invoking  war  and  further  classifies  hackers  as  terrorists.  Where 
such  a  classification  scheme  is  in  place,  it  is  hard  to  imagine  collecting  insur¬ 
ance  money  for  the  impact  of  an  attack  from  the  Internet,  assuming  you  define 
malpractice  as  equivalent  to  a  D&O  liability.  To  carry  that  a  bit  further,  the 
same  insurance  carrier  voids  its  business  continuity  coverage  of  “failure  to 
patch”  and  in  turn  voids  its  D&O  coverage  where  the  covered  party  “fails  to 
maintain  insurance.”  In  short,  malpractice  is  about  character.  The  business 
decisions  are  about  who  can  sue  whom  and  for  what. 

Q:  How  do  you  think  9/11  has  affected  cybersecurity  initiatives?  What  course  will 
the  cybersecurity  market  take  going  forward? 

A:  Disaster  preparedness  has  been  affected  most  since  9/H.  Before  that  day, 
the  press  and  public  would  say  that  a  cyberattack  proved  that  the  victim  was 
asking  for  it.  After  9/H,  the  press  and  public  grasp  that  there  are  bad  people  in 
the  world  and  that  perhaps  the  victim  was  not  asking  for  it.  Companies  must 
pay  attention  to  their  forensic  abilities,  which  require  planning  for  forensic  data 
collection  before  an  attack,  if  they  want  to  pursue  attackers.  No  doubt  there  will 
come  a  time  when  incident  response  will  be  part  of  the  mandatory  professional 


skill  set  of  security  professionals  and  therefore  its 
absence  would  be  a  malpractice  marker. 

Malpractice  insurance,  per  se,  does  not  have  a 
logical  basis,  but  liability  risk  won’t  wait  until  it  does. 

Q:  Who  is  responsible  when  a  physical  security  breach 
occurs? 

A:  This  is  a  best  practices  sort  of  question,  and  I  hope 
you  don’t  have  to  figure  out  who  is  responsible  at  the 
time  of  the  breach.  As  such,  physical  security  is  prop¬ 
erly  the  province  of  those  who  maintain  the  building  in 
question.  These  include  the  people  who  own  the  build¬ 
ing,  the  survivability  of  its  systems  and  to  whom  defi¬ 
ciencies  from  inspection  reports  fall  to  for  correction. 

If  data  is  at  risk— for  example,  if  a  company’s  security 
posture  depends  on  a  physical  boundary  around  the 
electronic  asset— then  of  course  facilities  and  data  peo¬ 
ple  have  to  work  together.  The  place  to  start  working  is 
around  incident  handling— something  everyone  needs 
to  plan  for  and  few  do  anyhow.  If  for  no  other  reason, 
do  it  because  the  result  of  making  such  a  plan  is 
valuable  (not  having  to  choose  between  operational 
recovery  and  evidence  preservation)  and  so  is  the 
byproduct  (common  understanding  around  the  actual 
requirements  for  integrity,  continuity  and  auditability). 
Speaking  to  the  CSO,  if  a  single  building  failure  takes 
you  out  of  business,  you  are  either  the  leader  of  a  small 
company  or  you  are  insufficiently  paranoid.  Both  can 
be  fixed.  ■ 

SHave  a  security  topic  to  suggest  or  an  expert  you'd  like  to 

hear  from?  Send  your  thoughts  to  Assistant  Managing  Editor 
Kathleen  Carr  at  kcarri9cxo.com.  Go  online  to  see  what  your 
peers  are  discussing  at  www.csoonline.com/counsel. 


24  www.csoonline.com  May  2003 


PHOTO  BY  FURNAID/GRAY 


Check  Point  Internet  Security. 

Protect  your  network  at  every  moment,  every  level,  every  location. 


Every  minute,  every  day  Global  Fortune  500  companies  protect  their  networks  with  Check  Point’s  leading 
Internet  security  solutions.  Only  Check  Point  provides  true  Stateful  Inspection,  the  de  facto  standard  for 
Internet  security.  For  state-of-the-net  protection,  Check  Point  has  developed  SmartDefense,  which  provides 
real-time  detection  and  protection  against  known  and  unknown  attacks.  With  our  leading  Firewall  and  VPN 
solutions  you’ll  get  the  most  secure,  most  scalable  and  most  comprehensive  security  in  the  industry.  Every 
possible  point  of  attack  is  covered  -  from  corporate  headquarters  to  the  remote  employee. 

Find  out  how  to  truly  protect  your  network  by  getting  your  hands  on  our  mission  critical  white  paper  today — “Mitigating  the  SANS/FBI 
Top  20  Internet  Security  Vulnerabilities”  It  will  change  the  way  you  look  at  protecting  your  network,  www.checkpoint.com/top20/cso 


Check  Point 


SOFTWARE  TECHNOLOGIES  LTD 


We  Secure  the  Internet. 


©2003  Check  Point  Software  Technologies  Ltd.  All  rights  reserved. 


Will  Hack  for  Food 


instance,  internal  procedures  often  assume  that  non¬ 
techies  won’t  know  how  to  boot  from  a  floppy,  run  a 
packet  sniffer  or  trap  keystrokes  to  look  for  passwords. 

Consider  adding  antihacking  rules  to  existing  accept¬ 
able  use  policies.  Remove  ambiguities  and  clearly  state 
grounds  for  termination— regardless  of  motivation  or 
damage.  This  list  should  be  unique  to  the  company 
but  should  include  universal  prohibitions  like  using 
someone’s  log-on  or  hooking  up  external  storage  devices 
such  as  USB  drives. 

Be  liberal  with  these  permissions,  however,  because  it’s 
a  great  way  to  sniff  out  trouble.  Detect  intruders  by  leav¬ 
ing  some  bait  lying  around  such  as  network  files  with 
important  sounding  names.  Another  good  way  to  tell  if 
you’re  being  probed  is  to  create  a  restricted  user  account 
with  an  easily  cracked  password. 

Cartographers  add  fake  towns  to  their  maps  to  tell  if 
they’ve  been  plagiarized.  I’ve  done  something  similar  with 
databases  by  adding  a  few  fake  records  at  the  beginning, 
middle  and  end. 

A  good  security  officer  also  uses  SMBWA  (Security 
Management  By  Walking  Around).  It  doesn’t  take  a 
lengthy  conversation  to  figure  out  which  employ¬ 
ees  are  technically  savvy. 

Terminated  employees  should  be  walked 
out  immediately  after  they’ve  been  let  go.  I 
worked  at  a  company  once  where  a  call  cen¬ 
ter  employee  was  let  go  by  HR  and  allowed 
to  pack  up  his  cubicle  unescorted.  Shortly 
afterward,  we  noticed  an  FTP  session  start 
from  within  the  call  center.  I  walked  over  to 
the  ex-employee’s  desk  and  found  that  he 
was  dumping  proprietary  information  from 
the  company  to  an  offsite  server.  We  searched 
his  computer  and  found  several  Trojan  horses, 
including  one  hooked  up  to  an  illicit  modem. 
The  long-term  solution  is  to  develop  a  pipeline 
for  promoting  staff  from  within.  Job  requisitions 
should  be  scrubbed  to  remove  padded  requirements 
that  effectively  block  internal  transfers.  Encouraging  a 
corporate  culture  of  upward  mobility  will  protect  a  com¬ 
pany  from  internal  attacks  better  than  any 
automated  software  method.  However,  in 
the  real  world,  assuming  the  worst  of  your 
coworkers— both  in  motivation  and  skill — 
is  just  as  prudent  as  locking  your  car  in  a 
church  parking  lot.  ■ 


David  H.  Holtzman,  former  CTO  of  Network  Solutions,  also 
worked  as  a  cryptographic  analyst  with  the  U.S.  Navy  and  an  intel¬ 
ligence  analyst  at  DEFSMAC.  He  can  be  reached  at  david@globalpov.com. 
Send  feedback  and  column  ideas  to  Senior  Editor  Daintry  Duffy  at 
dduffy@cxo.com. 


In  this  tough  job  market,  underemployed  young  techies 
pose  a  serious  security  threat  By  David  H.  Holtzman 


Y  MEMORIES  OF  long-dead  dotcoms  are  of  data  centers 
bustling  with  young  people:  gurus,  geeks  and  gnomes  with  the  uncanny  ability  to 
mind-meld  with  a  computer.  Many  of  them  lacked  college  degrees,  some  even  high 
school  diplomas.  But  from  this  dormant  piece  of  economic  history  a  new  corpo¬ 
rate  security  threat  is  rising— and  it  won’t  be  detected  by  a  firewall  or  fancy  intru¬ 
sion  detection  system. 

In  the  high-flying  ’90s,  employment  was  a  cinch  for  these 
kids— it  was  a  seller’s  market.  But  the  tech  sector  has  lost 
more  than  560,000  jobs  since  2001,  according  to 
the  American  Electronics  Association.  Cre¬ 
dentials  are  the  differentiator  in  a  buyer’s 
market.  The  brilliant  young  turks  who 
apply  for  jobs  without  formal  train¬ 
ing-offering  only  an  instinctive 
knowledge  of  computers— won’t  get 
hired  as  systems  administrators  and 
security  experts.  Perhaps  they’ll  end 
up  as  clerical  workers  or  night-shift 
operators  in  a  call  center.  The  explosion, 
however,  will  come  when  the  flame  of 
their  resentment  at  being  underemployed  is 
catalyzed  by  their  boredom. 

In  the  past,  geeks  tolerated 
menial  jobs  because  they  had 
reasonable  expectations  of 
transfer  or  promotion  in  peri¬ 
ods  of  rabid  corporate  hiring.  In 
today’s  wispy  labor  market,  they’ll  take  the 
position  because  they  have  to  eat,  but 
prospects  of  upward  mobility  have  been  dras¬ 
tically  cut  by  their  lack  of  formal  education. 

As  it  becomes  harder  for  hackers  to  earn  a  good 
living  and  long-term  employment  hopes  fade,  less 
traditional  revenue  opportunities  such  as  corpo¬ 
rate  espionage  or  even  sabotage  may  look  more 
tempting. 

Awareness  of  this  situation  helps  mitigate  the 
risk.  Other  preventative  hiring  measures  include 
background  checks  for  anyone  with  network 
access,  and  outside  scrutiny  of  administrative 
routines  to  expose  security  “blind  spots.”  For 


26  www.csoonline.com  May  2003 


ILLUSTRATION  BY  PHUNG  HUYNG 


mHMI 


VPN  /  Remote  Access 
Oigital  Certificate 


Network  Login 
Password 


File  Security 
Encryption 


Web  Portal 
Password 


■  ..  =  •  •*  -  WV;  X 

SONY 


;  yJ 

'  'A 

X'"'- 

'll 

•x 

|§||| 

.t'  Vi 

■- 


tmtiWi.  LX 
T&-*  „ 


*  ,  .  •  :  .  •  .  "  • 

-  *  ■  .  ‘  v- 
'  .  .  .  "  .  ••• 

•  •  '  A=  .  •  ;v':s\  ’ 


”4 >K>;C'r 
<  A*  y<~- 


Paperless  Contracts 
Digital  Signature 


SPUPPY' 

Sony  Puppy4  Fingerprint  Identity  Products 


©  2003  Sony  Electronics  Inc.  Reproduction  in  whole  or  in  part  without  written  permission  is  prohibited. 

All  rights  reserved.  Sony,  Memory  Stick,  and  Puppy  are  trademarks  of  Sony.  Dog  image©  artlist  INTERNATIONAL. 


VISIT  WWW.SONY.COM/PUPPY  FOR  INFORMATION  ON 
SONY'S  FULL  LINE  OF  FINGERPRINT  IDENTITY  PRODUCTS. 


IT  DOESN’T  JUST  RECOGNIZE  YOUR  FINGERPRINT; 

IT  RECOGNIZES  YOU. 


Password-protected  Web  sites  and  applications  can  now  be  accessed  without  having  to  remember  a  long  list 
of  passwords.  Simply  place  your  finger  on  the  pad,  and  click,  you're  there!  Unlike  a  password,  your  fingerprint 
can't  be  forgotten  or  stolen!  The  Sony  line  of  Puppy®  Fingerprint  Identity  Products  provides  personal 
authentication,  network  access,  and  file  encryption,  as  well  as  more  robust  public  key  infrastructure  (PKI) 
transactions,  personal  digital  certificates,  and  Virtual  Private  Networks...  all  accessible  at 
a  touch  within  your  existing  IT  infrastructure.  And  there's  no  way  someone  else  can  ever 
gain  access  to  your  fingerprint  file,  because  its  record  never  has  to  leave  the  device.  Unlike 
other  fingerprint  ID  systems,  only  Sony  can  scan,  match  and  store  your  private  fingerprint 
information  onboard.  How's  that  for  secure? 

When  you  consider  Sony's  background  in  imaging  and  electronics,  it's  not  surprising  that 
the  line  of  Puppy®  Fingerprint  Identity  Products  is  the  Work  Smart  approach  to  security. 

Work  Smart.  Work  Sony. 


FIU-710 

Fingerprint  Identity  Token 


FIU-900 
Memory  Stick® 
Fingerprint  Identity  Token 


FIU-600 

Fingerprint  Identity  Device 


Corporate  spies  come  in 
many  guises,  but  they  all 
have  one  thing  in  common: 
They  want  to  use  your 
company’s  secrets  for 
competitive  gain. 

This  is  a  five-step  guide 
to  how  they  operate. 

By  Sarah  D.  Scalet 

IN  THIS  STORY:  The  risks  that  competitive 
intelligence  presents  to  CSOs  ■  The  tricks 
corporate  sleuths  are  using  to  unearth  secrets 
*  How  to  defend  your  company  against  social 
engineering  tactics 


If  a  thief  tries  enough  doors,  odds  are  good 

he’ll  eventually  find  the  one  that’s  been  left  unlocked.  Consider  the  following 
examples. 

In  the  week  before  one  company  released  its  quarterly  report,  employees  in 
units  that  report  to  the  CFO  received  some  200  calls  from  people  claiming  to  be 
with  a  credit  reporting  agency  that  needed  information  about  the  earnings 
report  prior  to  its  release.  Employees  were  instructed  to  transfer  all  such  inquiries 
to  the  security  office,  but  the  calls  kept  coming.  A  research  company  hired  by  the 
competition  was  betting  that  eventually,  someone  would  slip. 

An  engineer  regularly  had  lunch  with  a  former  boss  now  working  for  a  com¬ 
petitor,  and  he  fancied  himself  a  hero  as  he  collected  rewards  from  management 
for  gathering  competitive  intelligence.  Little  did  he  know  that  the  information 
he  was  giving  up  in  return  caused  his  employer,  formerly  the  market  leader,  to 
lose  three  major  bids  in  14  months. 

Immigrants  from  Eastern  Europe  who  were  working  as  scientists  on  an 
American  defense  project  kept  getting  unsolicited  invitations  from  their  home 
countries  to  speak  at  seminars  or  serve  as  paid  consultants.  The  invitations 
appealed  to  them  as  scientists— they  wanted  to  share  information  about  their 
work  with  peers.  The  countries  saw  this  kind  of  intelligence  gathering  as  cheaper 


28  www.csoonline.com  May  2003 


ILLUSTRATIONS  BY  HUGH  D'ANDRADE 


Intellectual  Property 


It’s  Not  Just  the  French : 
Espionage  Around  the  World 

Ira  Winkler  traces  France’s  notoriety  for  industrial  espionage  all  the  way  back  to  the  17th 
century.  “Back  in  the  reign  of  Louis  XIV,  he  decided  that  what’s  good  for  French  business  is  good 
for  the  French  economy,”  says  Winkler,  chief  security  strategist  for  Hewlett-Packard  and  author  of 
Corporate  Espionage.  “Since  then,  there’s  been  a  close  integration  of  the  country’s  intelligence  and 
companies  dealing  with  foreign  competitors.” 

France  is  hardly  alone.  Over  the  years,  China,  Latin  America  and  the  former  Soviet  Union  have  all 
developed  reputations  as  places  where  industrial  espionage  is  widely  accepted,  even  encouraged,  as 
a  way  of  promoting  the  country's  economy. 

So  how,  exactly,  should  the  CSO  of  a  global  business  go  about  evaluating  the  threat  of  doing 
business  in  different  parts  of  the  world  without  feeling  like  a  xenophobe?  Look  no  further  than  the 
Corruption  Perceptions  Index  published  each  year  by  Transparency  International  (and  made  famous 
by  The  Economist  magazine),  says  Harvard  Business  School  professor  Ashish  Nanda.  "It's  almost 
become  a  science  where  we  can  predict:  The  more  corrupt  the  society  and  the  greater  the  overall 
business  activity  in  that  society,  the  more  active  commercial  espionage  will  be,”  he  says. 

In  2002,  on  a  list  of  102  countries  ranked  from  “most  clean”  to  “most  corrupt,”  the  bottom  15 
countries  (starting  with  the  most  corrupt)  were  Bangladesh,  Nigeria, 

Paraguay,  Madagascar,  Angola,  Kenya,  Indonesia,  Azerbaijan,  Uganda, 

Moldova,  Haiti,  Ecuador,  Cameroon,  Bolivia  and  Kazakhstan. 

And  on  a  different  list  of  21  larger  countries,  Russia,  China  (excluding  Hong  Kong), 

Taiwan,  South  Korean  and  Italy  showed  up  as  the  five  most  likely  to  pay  bribes  to  win  or 
retain  business. 

France  ranked  25th  (relatively  clean)  on  the  first  list,  and  12th  (out 
of  21)  on  the  second.  To  download  the  full  results  of  the  index,  visit 
Transparency  International  at  www.transparency.org.  -S.S. 


than  research  and  development. 

All  of  the  previous  stories  are  true.  “People 
think  that  stuff  doesn’t  happen,  that  it’s  all  TV 
and  movies,  but  the  fact  is  that  these  things  do 
happen— not  every  day,  but  with  regularity,” 
says  William  Boni,  vice  president  and  CISO 
of  Motorola  and  a  former  Army  counterintel¬ 
ligence  officer  who  coauthored  Netspioncige: 
The  Global  Threat  to  Information. 

“I  call  it  the  death  of  a  thousand  cuts,”  Boni 
continues.  “Because  most  organizations  don’t 
have  a  means  of  tracking  the  loss  of  propri¬ 
etary  information;  they  go  on  constantly  hem¬ 
orrhaging,  constantly  losing  market  share. 
Gradually  it  takes  the  vitality  out  of  the  organ¬ 
ization  because  it’s  hard  to  invent  and  create 
things  faster  than  people  are  leaking  it  or 
stealing  it.  It  might  be  seen  as,  oh  well,  that’s 
just  bad  luck  in  business.” 

But  it’s  bad  luck  that  adds  up  to  billions  of 
dollars  each  year  for  U.S.  businesses,  accord¬ 
ing  to  a  survey  done  by  the  American  Society 
for  Industrial  Security.  The  138  companies 
that  responded  to  the  September  2002  survey 
reported  that  the  loss  of  proprietary  informa¬ 
tion,  often  in  the  form  of  research  and  devel¬ 
opment  or  financial  data,  cost  them  at  least 
$53  billion  in  2001  alone. 

Fortunately,  hanging  onto  proprietary  infor¬ 
mation— whether  it’s  a  trade  secret  or  just  a 
few  strategic  details  that  may  seem  inconse¬ 
quential— isn’t  just  about  luck.  It’s  about 
understanding  the  dark  forces  that  are  trying 
to  get  information  from  your  company  and 
piece  it  together  in  a  useful  way.  Some  of  these 
forces  come  in  the  guise  of  “competitive  intel¬ 
ligence"  researchers  who,  in  theory  anyway, 
are  governed  by  a  set  of  legal  and  ethical  guide¬ 
lines  carefully  wrought  by  the  Society  of  Com¬ 
petitive  Intelligence  Professionals  (SCIP). 
Others  are  outright  spies,  hired  by  competitors 
or  even  foreign  governments,  who’ll  stop 
at  nothing— bribes,  thievery7,  a  pressure- 
activated  tape  recorder  hidden  in  your  CEO’s 
chair.  Most  tromp  on  a  gray  zone  in  between. 

The  boundaries  between  espionage  and 
competitive  intelligence  might  matter  to  those 
in  the  profession,  but  regardless  of  how  these 
snoops  operate,  they  all  have  one  thing  in 
common:  They  want  to  use  your  company’s 
secrets  for  competitive  gain.  And  the  some¬ 
times  subtle  distinctions  between  legal  and 
illegal,  ethical  and  unethical,  should  matter  lit¬ 


tle  to  the  CSO.  “I  don’t  care  if  they’re  ethical  or 
not,”  says  Richard  Lew,  director  of  security 
and  risk  management  for  Dial  Corp.  “It’s  our 
information— go  away.” 

Making  them  go  away,  however,  depends 
on  understanding  them.  To  help,  we’ve  com¬ 
piled  a  five-step  primer  on  how  the  bad  guys 
operate.  Use  it  at  your  competition’s  risk. 

STEP  ^ind  ^ut  What’s  Public 

1  Leonard  Fuld  has  had  this  con¬ 
versation  before.  “Everybody 
would  like  to  think  about  the 
dark  side,”  gripes  Fuld,  whose 
eponymous  intelligence  consulting  company 
in  Cambridge,  Mass.,  has  one  of  the  less- 
blemished  reputations  among  companies  that 
deal  in  coiporate  secret  gathering....  Excuse  us, 
competitive  intelligence. 

“You  need  to  make  it  clear  to  your  audi¬ 
ence,”  he  lectures,  “that  more  damage  is  done 


by  a  company  being  lax  about  how  it  handles 
information  than  by  thieves.  Sure,  there  are 
people  out  there  who  want  to  take  your  infor¬ 
mation,  but  more  often  than  not,  your  own 
company  is  doing  damage  to  itself  by  not 
being  tight  about  how  it  controls  informa¬ 
tion.”  That  laxity,  he  insists— and  not  social 
engineering  trickery  or  outright  illegality— is 
what  allows  his  company  to  gather  competi¬ 
tive  intelligence,  both  for  companies  that  want 
to  keep  tabs  on  rivals  and  those  that  want  to 
identify  their  own  leaks. 

Fuld  has  a  point  about  those  plain-sight 
opportunities.  Salespeople  show  off  upcoming 
products  at  trade  shows.  Technical  organiza¬ 
tions  describe  in  great  detail  their  R&D  facil¬ 
ities  in  job  listings,  trying  to  attract  top-notch 
scientists.  Suppliers  brag  about  sales  on  their 
websites.  Publicity  departments  issue  press 
releases  about  new  patent  filings.  Companies 
in  industries  targeted  by  regulators  over- 


30  www.csoonline.com  May  2003 


doesn’t  ask  direct  questions  but  instead  uses 
a  method  known  as  “elicitation,”  guiding  the 
conversation  in  ways  that  seem  innocuous. 
Suppose  he  wants  to  know  how  a  company  is 
pricing  a  product  for  government  procure¬ 
ment  so  that  his  client  can  win  a  bid.  He  calls 
someone  in  accounting.  “Nobody  ever  runs 
down  to  accounting  and  says,  ‘Ooh,  this  is  so 
exciting.’  So  I  convince  him  I’m  interested  in 
who  he  is  and  what  he  does.  I  can  be  really 
slow,  and  I  can  be  confused.  I  can  make  pur¬ 
posely  erroneous  statements:  ‘You  guys  are 
probably  getting  $5,000  a  widget  out  there.’ 
And  he’ll  say,  ‘You  gotta  be  kidding,  times  are 
tough.  We  had  to  reduce  our  prices  down  to 
$3,200.’” 

Bingo. 

“People  get  pretty  sophisticated  in  their 
scams,”  says  Lew,  who  makes  sure  Dial  em¬ 
ployees  receive  awareness  training.  “They’ll 
come  up  with  a  plausible  answer  to  any  ques¬ 
tion  you  might  have.  Before  you  know  it,  a 
five-minute  survey  turns  into  a  20-minute  gut- 
wrenching  experience,  and  you  hang  up  think¬ 
ing,  ‘I  took  care  of  that,  I’m  an  expert.’”  In  fact, 
quite  the  opposite  is  true.  You’ve  just  been 
duped. 

This  is  the  kind  of  social  engineering  that 
infamous  hacker  Kevin  Mitnick  glamorizes 
in  his  new  book  The  Art  of  Deception.  Such 
scams  might  also  include  “pretext”  calls  from 
someone  pretending  to  be  a  student  working 
on  a  research  project,  an  employee  at  a  con¬ 
ference  who  needs  some  paperwork  or  a  board 
member’s  secretary  who  needs  an  address  list 
to  mail  Christmas  cards. 

Most  of  those  calls  aren’t  even  illegal. 
Although  it  is  against  the  law  to  pretend  to  be 
someone  else  in  particular— Sam  up  in  the 
CEO’s  office— it’s  not  illegal  to  be  dishonest, 
points  out  Richard  Horowitz,  a  New  York 
attorney  who  helped  formulate  SCI  P’s  guide¬ 
lines.  People  do  it  all  the  time.  “It’s  not  illegal 
to  lie  and  say  to  someone,  Yes,  your  daughter 
looks  beautiful  on  her  wedding  day,”’  he  says. 

In  the  business  world,  “Whenever  someone 
manages  to  get  information  about  you  that 
you  didn’t  want  them  to  have,  you’re  going  to 
call  it  espionage,”  he  continues.  “People  use 
the  words  theft  and  spooking  and  spying  when 
they  don’t  like  what  the  other  person  does.” 

Meanwhile,  the  other  person  has  plenty 
more  tricks. 


report  information  about  manufacturing  facil¬ 
ities  to  the  Environmental  Protection  Agency 
or  OSHA,  which  can  be  part  of  the  public 
record.  Employees  post  comments  on  Yahoo 
bulletin  boards. 

Those  pieces  of  data  tell  a  competitor  what 
your  company  is  doing.  Combined,  the  right 
details  might  help  a  rival  reduce  your  first- 
to-market  advantage,  improve  the  efficiency  of 
its  manufacturing  facility  or  focus  research  in 
a  profitable  direction.  “The  dots  of  data  are  out 
there  in  different  forms;  it’s  a  matter  of  some¬ 
body  piecing  together  that  picture,”  says  Fuld, 
who  compares  his  job  to  looking  at  the  dots  of 
a  pointillist  painting  and  being  able  to  imag¬ 
ine  the  greater  picture. 

And  if  the  dots  aren’t  in  public  places?  He 
can  start  making  phone  calls. 


STEP  Work  the  Phones 

2  You’d  be  shocked  by  the  things 
people  tell  John  Nolan.  This  is 
the  man  who  got  his  fingers 
burned  in  the  infamous  “dump¬ 
ster  diving”  espionage  case  in  2001 
involving  Procter  &  Gamble  and 
Unilever.  Nolan  won’t  comment  on  the 
case,  which  was  settled  out  of  court, 
but  he  insists  that  there’s  no  need  for 
his  company  to  break  the  law.  “In  our 
experience,  it’s  just  not  worth  it,”  says 
Nolan,  founder  of  the  Phoenix  Con¬ 


sulting  Group.  “It’s  just  not  necessary.  It’s  a 
pain  in  the  neck.” 

Nolan  has  other  ways  of  getting  people  to 
talk.  In  fact,  people  like  him  are  the  reason 
that  seemingly  benign  lists  of  employee  names, 
titles  and  phone  extensions,  or  internal 
newsletters  announcing  retirements  or  pro¬ 
motions,  should  be  closely  guarded.  That’s 
because  the  more  information  Nolan  knows 
about  the  person  who  answers  the  phone,  the 
better  he  can  work  that  person  for  information. 

“I  identify  myself  and  say,  ‘I’m  working  on 
a  project,  and  I’m  told  you’re  the  smartest  per¬ 
son  when  it  comes  to  yellow  market  pens.  Is 
this  a  good  time  to  talk?”’  says  Nolan,  describ¬ 
ing  his  methods.  “Fifty  out  of  a  hundred  peo¬ 
ple  are  willing  to  talk  to  us  with  just  that  kind 
of  information.” 

The  rest?  They  ask  who  Phoenix  Consulting 
Group  is.  Nolan  says— and  this  is  true— that 
Phoenix  is  a  research  company  working  on  a 
project  for  a  client  he  can’t  name  because  of  a 
confidentiality  agreement.  Fifteen  people 
hang  up,  and  the  other  35  start  talking.  Not  a 
bad  hit  rate.  Nolan  starts  taking  notes  that 
will  eventually  make  their  way  into  two  files- 
one,  information  for  his  client,  and  the  second, 
a  database  of 120,000  past  sources,  including 
information  about  their  expertise,  how 
friendly  they  were,  and  personal  details  like 
hobbies  or  graduate  school. 

A  former  intelligence  officer,  Nolan 


May  2003  www.csoonline.com  31 


Intellectual  Property 


STEP  Go  lnto  the  Field 

During  the  technology  boom, 
one  early  morning  flight  from 
Austin,  Texas,  to  San  Jose,  Calif., 
earned  the  nickname  the  “nerd 
bird.”  Shuttling  businesspeople  from  one 
high-tech  center  to  another,  that  flight  and 
others  like  it  became  good  places  for  job 
recruiters.  They  also  became  great  places  for 
competitive  intelligence  professionals,  who 
might  overhear  useful  discussions  among 
coworkers  talking  loud  enough  to  be  heard 
over  air  vents  and  engine  roar,  perhaps  behind 
a  shoulder-surfable  PowerPoint  presentation 
or  financial  spreadsheet. 

Any  public  place  where  employees  go, 
snoops  can  also  go:  airports,  coffee  shops, 
restaurants,  and  bars  near  company  offices 
and  factories,  and,  of  course,  trade  shows. 
There,  an  operative  working  for  the  competi¬ 
tion  might  corner  one  of  your  researchers  after 
a  presentation  or  pose  as  a  potential  customer 
to  the  sales  team  to  try  to  get  a  demo  of  a  new 
product  or  learn  about  pricing. 

Again,  this  isn’t  illegal  or  even,  some  say, 
unethical.  Fuld  &  Co.  once  did  a  scruples  sur¬ 
vey  asking  122  competitive  intelligence  pro¬ 
fessionals  in  Europe  and  North  America 
whether  it  was  normal,  aggressive,  unethical  or 
illegal  to  take  off  your  badge  before  approach¬ 
ing  a  competitor  at  a  trade  show.  In  North 
America,  34  percent  of  respondents  consid¬ 
ered  this  behavior  aggressive,  and  50  percent 
found  it  unethical.  In  Europe,  however,  56  per¬ 
cent  of  respondents  said  this  was  normal 
behavior.  That’s  your  problem,  by  the  way.  “It 
behooves  the  person  on  the  other  side  of  the 
trade  show  booth  to  find  out  who  you  are,” 
Fuld  says. 

It  also  behooves  the  chief  security  officer  to 
ensure  that  employees  know  not  to  talk  about 
sensitive  business  in  public  places,  and  to 
work  with  the  marketing  department  to  make 
sure  the  risks  of  revealing  information  at  a 
trade  show  don’t  outweigh  the  benefits  of 
drumming  up  business. 

And  then  there  are  those  times  when  a 
company  lets  a  near-stranger  inside  its  doors 
for  that  most  delicate  of  all  conversations:  the 
job  interview.  It’s  unlikely  that  competitors 
would  risk  directly  sending  someone  on  a  job 
interview,  but  it  is  entirely  possible  that  they 
could  hire  a  questionable  competitive  intelli¬ 


gence  firm  to  check  things  out— or,  more 
likely,  hire  a  reputable  competitive  intelli¬ 
gence  firm  that  contracts  out  its  dirty  work. 

“They  would  go  through  the  interview 
process  to  find  out  about  what  type  of  work 
the  person  would  be  assigned  to  and  what 
kind  of  experience  the  company  was  looking 
for,”  explains  Richard  Heffernan,  president 
of  R.J.  Heffernan  Associates,  who  has  done 
consulting  for  IP-intensive  clients  in  the  tech¬ 
nology  and  biotech  sectors.  Heffernan’s  work 
includes  educating  employees  about  counter¬ 
intelligence.  “They’d  try  to  find  out  as  many 
scientific  and  technical  details  as  possible,” 
he  says. 

This  cuts  both  ways.  A  competitor  also 
might  invite  one  of  your  employees  in  for  a  job 
interview  with  no  other  purpose  than  gleaning 
information  about  your  processes. 

As  with  comments  made  in  public  places, 
even  the  most  offhand  statements  (“We  were 
working  on  XYZ,  but  we’re  expecting  to  work 
on  ABC  next  year”)  can  be  incredibly  useful  to 
a  competitor,  Heffernan  explains.  “If  I  know 


an  area  that  a  company  has  not  been  working 
on  and  why,  I  will  not  spend  time  trying  to 
duplicate  a  lot  of  research;  I  will  use  a  differ¬ 
ent  path,”  he  says. 

Awareness  training  can  be  effective  in  plug¬ 
ging  up  this  drip-drop  of  information,  but 
only  if  it’s  targeted  to  the  information  that  a 
specific  group  of  employees  needs  to  guard, 
Heffernan  says.  At  a  manufacturing  facility, 
for  instance,  you  might  educate  employees 
about  the  fact  that  a  certain  competitor  is 
known  to  be  working  on  a  particular  type  of 


manufacturing  technology.  “I’d  say,  ‘If  that 
competitor  were  able  to  get  this  information, 
they  would  be  able  to  move  their  process  that 
much  [further]  forward,”’  he  says.  “When  you 
talk  about  something  that  engineers  or  sci¬ 
entists  have  worked  on  for  a  great  deal  of  their 
life,  and  they  see  that  it  is  at  risk,  they’re  very 
attentive  to  what  you’re  talking  about.” 

STEP  ^  Together 

This  leads  us  to  perhaps  the 
trickiest  part  of  protecting 
against  competitive  intelligence: 
that  it’s  not  only  trade  secrets 
that  are  valuable  to  your  rivals.  In  some  ways, 
in  fact,  trade  secrets  are  easy  to  protect.  Steal¬ 
ing  them  is  illegal  under  the  1996  Economic 
Espionage  Act.  Employees  usually  know  that 
they’re  valuable,  and  nondisclosure  agreements 
may  protect  your  company  further.  What’s 
more  complicated  is  helping  employees  under¬ 
stand  how  seemingly  innocuous  details  can  be 
strung  together  into  a  bigger  picture— how 
that  company  phone  list  becomes  a  weapon 


in  the  hands  of  John  Nolan. 

Consider  this  scenario:  Nolan  once  had  a 
client  who  wanted  him  to  find  out  whether 
any  rivals  were  working  on  a  certain  technol¬ 
ogy.  During  his  research  of  public  records,  he 
came  across  nine  or  10  people  who  had  been 
publishing  papers  on  this  specialized  area 
since  they  were  grad  students  together.  Sud¬ 
denly,  they  all  stopped  writing  about  the  tech¬ 
nology.  Nolan  did  some  background  work  and 
discovered  that  they  had  all  moved  to  a  certain 
part  of  the  country  to  work  for  the  same 


hen  you  talk  about  something  that 
engineers  or  scientists  have  worked 
on  for  a  great  deal  of  their  life,  and 
they  see  that  it  is  at  risk,  they’re 
very  attentive  to  what  you’re 
talking  about.” 


-RICHARD  HEFFERNAN, 
PRESIDENT  OF  R.J.  HEFFERNAN  ASSOCIATES 


32  www.csoonline.com  May  2003 


Spy  Repellent 


Espionage  strategies  range  from  illegal  to  merely  sleazy. 
In  most  cases,  the  best  defense  is  employee  awareness. 


-A.  J 

w 

How  a  Rival  Could  Snoop 

_ : _  ™ 

Can  the  Law  Help? 

Look  at  Securities  and  Exchange  Commission 
filings  and  annual  reports  to  see  where  you  are 
making  investments  and  generating  profits. 

Study  regulatory  filings  like  those  filed  with  the 
Environmental  Protection  Agency  or  OSHA.  They 
may  be  freely  available  or  obtained  through  a 
Freedom  of  Information  Act  (FOIA)  request. 


No.  This  is  public  information. 


Most  of  this  information  is  on  the  public  record, 
but  some  sensitive  information,  like  trade 
secrets,  is  protected  from  FOIA  requests. 


You  can't,  at  least  not  when  information 
must  be  disclosed  for  legal  reasons  or  when 
disclosure  benefits  outweigh  the  risks. 

Make  sure  that  documents  aren’t  overly  reveal¬ 
ing,  which  can  happen  when  other  companies 
in  an  industry  have  been  targets  of  regulatory 
agencies. 


Study  job  postings  to  learn  about  your  facilities, 
desired  skill  sets  and  company  expansions. 

Send  someone  on  a  job  interview  to  gather  infor¬ 
mation  about  your  facilities  and  strategy. 

Read  press  releases  on  your  company  website  to 
find  out  about  developing  strategies. 

Attend  a  talk  by  your  researchers  at  a  confer¬ 
ence  and  ask  questions  afterward.  Or  visit  your 
trade  show  booth  pretending  to  be  a  customer. 

Call  your  employee  and  pretend  to  be  the  assis¬ 
tant  to  the  CEO  looking  for  information. 

Call  a  current  employee  and  pretend  to  be 
working  on  a  research  project  for  school  or 
doing  a  survey  for  a  market  research  firm, 
perhaps  asking  questions  that  seem  innocuous. 

Call  a  laid-off  employee  or  recent  retiree  to 
pump  them  for  information,  hoping  they're 
either  disgruntled  or  eager  to  talk  about  their 
former  work. 


No.  You  want  this  information  to  be  public. 


Not  much.  As  a  general  rule,  misrepresenting 
oneself  is  not  against  the  law  (though,  see  below). 

No.  Press  releases  are  intended  for  the  public. 


No.  These  are  public  events,  and  trying  to  boot 
someone  you  suspect  is  a  spy  can  get  your  com¬ 
pany  in  legal  trouble. 

Yes.  While  it's  not  illegal  to  misrepresent  oneself, 
it  is  illegal  to  pose  as  a  specific  person. 

This  is  illegal  only  if  the  guise  prompts  the 
employee  to  disclose  a  trade  secret-in  which 
case,  a  lawyer  could  argue  that  it  must  not  have 
been  a  trade  secret  if  it  were  so  easily  revealed. 

The  target  may  be  violating  a  nondisclosure 
agreement,  but  the  caller  is  probably  not  breaking 

the  law  (unless  a  trade  secret  is  in  play). 

. 


Be  stingy  with  details;  remove  postings  as  soon  as 
jobs  are  filled.  Use  “blind”  postings  on  job  boards. 

Make  sure  you’re  not  giving  away  more  information 
than  necessary  during  the  interview  process. 

Purge  press  releases  that  have  outlived  their 
usefulness. 

Warn  employees  about  this  ruse,  and  educate 
them  about  what  kinds  of  information  they  have 
that  would  be  most  useful  to  rivals. 

Educate  employees  about  how  to  respond  to 
requests  for  information. 

Always  ask  for  a  name  and  phone  number  and 
confirm  the  identity  of  someone  unknown.  Sus¬ 
picious  calls  should  be  transferred  to  corporate 
communications  or  the  security  office. 

Make  sure  employees  who  have  access  to 
sensitive  information  sign  nondisclosure 
agreements. 


Listen  in  on  conversations  at  a  restaurant  or 
coffee  shop  frequented  by  employees,  or  at 
airport  lounges  or  on  flights. 


No. 


Remind  employees  not  to  have  sensitive  conver¬ 
sations  in  public  places;  educate  them  about  what 
information  would  be  most  useful  to  rivals. 


Go  dumpster-diving  (sort  through  your  trash 
for  useful  documents  and  other  information). 


This  is  illegal  only  if  the  trash  is  on  private 
property. 


Have  a  shredding  policy;  educate  employees 
about  which  documents  are  sensitive. 


Employ  someone  on  the  night  cleaning  staff 
to  make  copies  of  important  documents  or  plant 
what  some  professionals  call  “clandestine 
listening  devices"  and  the  rest  of  us  call  “bugs.” 

Bribe  a  hotel  cleaning  staff  to  get  access  to  an 
executive's  hotel  room,  either  to  plant  a  bug  or 
to  steal  documents  or  a  laptop  computer. 

■■■■■■WMBWHBMMMOMMMBWBWMHIWIIIIIIIMIfflllHI 


This  is  illegal  but  widely  accepted  in  some 
countries. 


This  is  illegal  but  widely  accepted  in  some 
countries. 


Build  security  into  contracts  with  cleaning 
services.  Make  sure  employees  lock  sensitive 
documents  up  at  night.  Consider  hiring  a 
security  firm  to  periodically  sweep  for  bugs. 

Have  employees  guard  documents  and  laptop 
computers  closely.  On  trips  to  high-risk  areas, 
consider  having  executives  use  pseudonyms. 


May  2003  www.csoonline.com  33 


Intellectual  Property 


he  whole 
executive  suite 
was  wired  for 
motion  and 
sound.  The  first 
team  that  came  in 
to  look  for  bugs 
was  probably 
installing  them.” 

-WILLIAM  BONI,  MOTOROLA’S  CISO 


company.  None  of  that  constituted  a  trade 
secret  or  even,  necessarily,  strategic  infor¬ 
mation.  But  Nolan  saw  a  picture  forming. 

“What  that  told  us  was  that  they  had 
stopped  [publishing  information  about 
the  technology]  because  they  recognized 
that  the  technolog}'  had  gotten  to  a  point 
where  it  was  probably  going  to  be  prof¬ 
itable,”  Nolan  says.  Then,  by  calling  the 
people  on  the  phone,  going  to  meetings 
where  they  were  speaking  on  other  top¬ 
ics,  and  asking  them  afterward  about  the 
research  they  were  no  longer  speaking 
publicly  about,  Nolan’s  firm  was  able  to 
figure  out  when  the  technology  would  hit 
the  market.  This  information,  he  says,  gave 
his  client  a  two-year  heads  up  on  the  com¬ 
petition’s  plans. 

Still  hard  to  fathom?  Then  challenge 
yourself  to  think  like  a  spy  and  apply  it  to 
your  own  company.  Suppose  you  work  for 
a  cement  manufacturing  company,  and  you 
and  your  rivals  are  bidding  on  a  big  contract 
with  the  Pakistani  government,  says  Ira 
Winkler,  chief  security  strategist  at  Hewlett- 
Packard  and  author  of  Corporate  Espionage, 
who  spent  11  years  working  with  the  National 
Security  Agency.  The  intelligence  goal,  Win¬ 
kler  says,  is  to  learn  what  your  rivals  are  bid¬ 
ding  so  that  you  can  undercut  their  prices. 
During  the  week  the  government  has  asked 
people  to  come  make  presentations,  you  chat 
up  the  staff  at  nice  hotels  in  Islamabad,  to 
find  out  if  there  are  any  guests  from  cement 
companies.  Better  yet,  Winkler  says,  “If  you 
know  the  name  of  the  person  who’s  the  vice 
president  of  development  for  Europe/East 
Asia  for  your  competitor,  you  could  call  up 
the  hotel  and  ask  if  Mr.  So-and-So  is  going  to 
be  there  next  week.”  Once  you  know  who  else 
is  bidding,  “you  go  to  their  customers  and  ask 
how  much  the  competitor  sold  them  cement 
for,  saying  you’re  willing  to  cut  them  a  break.” 

And  if  those  customers  have  confidentiality 
agreements  in  place?  Well,  you  could  always 
pay  the  hotel  cleaning  staff  $25  to  let  you  into 
the  executive’s  room  for  10  minutes,  where 
you  could  hide  a  microphone  or  take  pictures 
of  documents.  The  rival  would  never  know- 
even,  perhaps,  after  losing  the  bid. 

“Why  would  it  be  far-fetched?”  Winkler 
asks.  “In  America,  it’s  just  not  done,  typically. 
However,  the  reality'  is  that  throughout  the 


rest  of  the  world,  competitive  intelligence  is 
just  a  fact  of  life.  Americans  are  fairly  naive 
about  how  things  are  handled.” 

STEP  ^nd  ^  All  Else  Fails... 

The  fact  is,  other  countries  can 
have  vastly  different  ethical  and 
legal  guidelines  for  information 
gathering.  Almost  everything 
we’ve  talked  about  so  far  is  legal  in  the  United 
States,  or  at  least  arguably  so  in  the  hands  of 
a  clever  lawyer.  But  there’s  another  realm  of 
corporate  sleuthing— bugs,  bribes,  theft,  even 
extortion— that  is  widely  practiced  elsewhere. 

In  his  days  as  a  global  security  consultant, 
Motorola’s  Boni  saw  plenty  of  it.  Once,  a  local 
bank  in  South  America  brought  in  a  security 
consultancy  to  sweep  the  place  of  bugs.  When 
the  loss  of  information  continued,  the  bank 
hired  a  different  security  team.  “They  found  27 
different  devices,”  Boni  recalls.  “The  whole 
executive  suite  was  wired  for  motion  and 
sound.  The  first  team  that  came  in  to  look  for 
bugs  was  probably  installing  them.” 

Espionage  is  sometimes  sanctioned  or  even 
carried  out  by  foreign  governments,  which  may 
view'  helping  local  companies  keep  tabs  on 
foreign  rivals  as  a  way  to  boost  the  countiy’s 
economy.  One  common  ruse  is  to  organize 
professional  conferences  and  invite  native  sci¬ 
entists  who  have  emigrated  to  the  United 
States.  In  other  situations,  the  government 


might  bug  hotel  rooms  or  tap  phones,  as 
the  French  are  known  for  doing.  (For  more 
information  on  which  countries  pose  the 
greatest  risks,  see  “It’s  Not  Just  the  French: 
Espionage  Around  the  World,”  Page  30.) 
Espionage  can  be  a  lot  cheaper,  after  all, 
than  investing  in  research  and  develop¬ 
ment,  and  it’s  very  difficult  to  defend 
against  when  it’s  backed  by  a  foreign 
government. 

That’s  why  no  one  set  of  guidelines  for 
protecting  intellectual  property  will  work 
everywhere  in  the  world.  The  CSO’s  job  is 
to  evaluate  the  risks  for  every  country  the 
company  does  business  in  and  act  accord¬ 
ingly.  Some  procedures  will  always  be  the 
same,  such  as  reminding  people  to  protect 
their  laptops.  “The  countermeasures  stop 
the  vulnerabilities,”  says  Winkler,  regard¬ 
less  of  the  source  of  the  threat— “whether 
it’s  petty  crime,  organized  crime,  a  foreign 
competitor  or  a  foreign  company.”  And  some 
things  will  be  different.  Executives  traveling 
to  Pakistan  might  need  to  register  under  pseu¬ 
donyms,  have  their  hotel  rooms  or  work  spaces 
swept  for  bugs,  or  even  have  security  guards 
help  protect  information. 

It’s  a  difficult  job,  to  be  sure.  It  requires 
looking  at  security  holistically,  understanding 
what  information  is  most  valuable,  evaluating 
threats  around  the  world  and  educating  every¬ 
one  in  the  business.  Nolan  likes  to  joke  about 
one  company  where  he  helped  evaluate  its 
intelligence  risks.  When  he  asked  if  the  secu¬ 
rity  officer  would  attend  a  meeting,  everyone 
laughed.  “They  said,  ‘No,  Barney  probably 
wouldn’t  fit  into  this  conversation,”’  he  recalls. 
“I  said,  ‘Is  his  name  Barney?’  And  they  said, 
‘No,  he  just  fits  the  Barney  Fife  image.’” 

This  is  not  a  job  for  the  Barney  Fifes  of  the 
world.  It’s  much  more  difficult,  with  much 
more  responsibility.  But  isn’t  that  what  CSOs 
are  asking  for?  ■ 

Senior  Writer  Sarah  D.  Scalet  can  be  reached  via  e-mail  at 
sscalet@cxo.com. 


Don’t  let  loose-lipped  employees  sink  your 
company’s  ship.  Read  THE  DANGER  WITHIN: 
PROTECTING  YOUR  COMPANY  FROM  INTER¬ 
NAL  SECURITY  ATTACKS,  a  CSOonline  Analyst 
Report,  for  advice  on  creating  a  security-conscious 
culture.  Go  to  www.csoonline.com/printlinks. 


34  www.csoonline.com  May  2003 


More  e-Security 

For  Less  Money 


Strong  Authentication 


Strong  Authentication 


Web  Access  Control 


File/  HD  Encryption 


Secure  File  Exchange 

’3 


Digital  Cert  Storage 


Pay  2/3  less  for  strong  (two-factor)  authentication 

Use  the  same  A-Key™  for  an  optional  suite  of  strong  e-Security 

You  get  strong  authentication  more  versatile  than  that  provided  by  the  industry  leader,  at  1/3 
the  price  *  Plus  with  the  same  A-Key  USB  Token,  you  can  leverage  an  entire  suite  of  strong 
e-Security  applications,  including:  web  access  control,  encryption  that  will  protect  your  files/ 
folders  or  the  entire  hard  drive,  secure  file  exchange,  and  storage  for  digital  certificates. 
Authenex  affordability  doesn't  end  at  the  price  tag  -  you  also  save  through  our  ease  of 
deployment  and  simplified  management. 

Get  a  Free  A-Key  at  authenex.com **  or  call  1-877-AUTHENEX 


Affordable  Strong  e-Security 


Microsoft 


CERT 


F 


E  D 


*  Price  comparison  based  on  recent  list  prices  of  individual  hardware  tokens.  Prices  may  be  subject  to  change  without  notice.  **  Certain  terms  and 
conditions  may  apply.  Copyright  ©  2003  Authenex,  Inc.  All  Rights  Reserved.  Authenex,  A-Key  and  associated  logos  are  trademarks  of  Authenex,  Inc. 
All  other  registered  and  unregistered  trademarks  in  this  document  are  the  sole  property  of  their  respective  owners. 


Partner 


| TECHNOLOGY  PARTNER! 


'”■*#**'* 


buildingthewayyou  do  the  plumbing  or 

wiring.  Genzyme’s  Dave  Kent  doesn’t  have 

to  imagine  it— he  got  to  do  it.  by  scott  berina 


_ 


IN  THIS  STORY: 

How  one  CSO 
brings  security 
into  the  corporate 
culture  and  how 
that  vision  mani¬ 
fests  itself  in  the 
construction  of  a 
new  world  head¬ 
quarters 


Cover  Story  |  Security  by  Design 


■  If  there  is  just  one  word  for  The 
Genzyme  Center  in  Cambridge,  Mass,,  the  word  is  glass. 
The  biotech  company's  eponymous  headquarters, 
scheduled  to  open  next  October,  will  bestow  upon  its 
neighborhood  (which  happens  to  be  the  heart  of  the 
biotech  industry)  a  12-story,  shimmering  glass  soul. 


Start  with  its  skin:  1,495  glass  panels.  Some 
of  these  sections  are  mirrored,  including  a  six- 
story  square  that  faces  west  and  serves  as  a 
brilliant  riposte  to  the  afternoon  sun.  Other 
sections  are  tinted  but  still  expose  the  subcu¬ 
taneous  layer.  There,  behind  a  narrow  prom¬ 
enade  that  circuits  each  floor,  is  more  glass. 
Specifically,  transparent  glass  walls  sidled  by 
transparent  glass  doors  lead  in  to  offices  that 
have  identical  glass  doors  and  walls  on  the 
opposite  side.  It’s  a  285,000-square-foot 
corporatarium.  In  certain  spots,  if  you  were 
washing  windows,  you  could  look  right 
through  the  thing. 

The  architects  at  Behnisch,  Behnisch  and 
Partner  say  that  they  were  trying  to  “encour¬ 
age  the  often  neglected  or  forgotten.”  By  that, 
they  mean  natural  light,  of  course;  and  their 
design  encourages  natural  light  the  way  fire 
encourages  heat.  As  if  there  was  a  choice.  But 
this  story  isn’t  about  the  architects. 

The  CEO  and  chairman  of  Genzyme,  Henri 
Termeer,  says  the  design  is  “from  the  inside 
out.”  He  means  the  building  takes  a  worker’s 
perspective.  Termeer  also  likes  to  assign  warm 
and  fuzzy  corporate  symbolism  to  the  glass,  its 
transparency  and  the  light  it  lets  in.  But  this 
story  isn’t  about  Termeer  either. 

This  story  is  about  Dave  Kent,  vice  presi¬ 
dent  and  CSO,  who,  when  he  thinks  about 
the  glass,  usually  sighs.  Or  shrugs.  Sometimes, 
he  wanders  around  the  neighborhood  with  a 
spotting  scope,  peering  through  the  glass  and 
pretending  that  a  piece  of  key  intellectual 
property  is  plainly  visible  on  a  computer 
screen  in  one  of  the  fishbowl  offices.  Trans¬ 
parency,  for  Kent,  isn’t  symbolism.  It’s  a  cor¬ 
poral  weakness. 

“Yeah,  the  glass  is  a  headache,”  concedes 
Kent.  “But  the  reality  is  you  don’t  design  a 
building  for  security.  You  secure  the  design  of 


a  building.  I  accept  that.  It’s  just  nice  to  be  able 
to  play  at  this  level.” 

Earlier,  Kent  had  laid  out  the  level  at  which 
he  plays,  right  across  his  desk:  blueprints  for 
The  Genzyme  Center.  Trying  to  read  them 
was,  for  me,  like  trying  to  read  music  for  the 
first  time,  but  this  much  was  clear:  They  are 
blueprints  for  security.  They  delineate  place¬ 
ment  of  surveillance.  They  show  wiring  for 
access  systems.  And  they  detail  the  design  of 
the  Security  Operations  Center  (SOC),  a 
unique  room  that  deserves  attention  (and  will 
get  it  later). 

In  a  most  literal  sense,  security  is  a  distinct 
layer  in  Genzyme’s  plans,  as  intrinsic  as 
plumbing  or  electrical  systems.  The  same 
holds  true  for  the  company’s  sites  in  Buenos 
Aires  and  Waterford,  Ireland,  both  repre¬ 
sented  by  rolled  tubes  of  blueprints  leaning 
against  a  wall  in  Kent’s  narrow  office.  In  other 
words,  the  level  Kent  plays  at  is  the  most  fun¬ 
damental  one— planning  and  design,  not  only 
of  buildings  but  of  the  future  of  a  growing 
company.  This  means  he’s  got  the  highest  level 
of  executives  thinking  about  security.  That 
should  make  most  of  you  envy  Dave  Kent. 

The  story  of  how  he  got  to  this  envious  posi¬ 
tion  started  eight  years  ago;  the  story  of  how 
he  built  security  into  The  Genzyme  Center 
started  on  the  top  floor.  He  told  both  stories 
while  touring  the  construction  site  one  frigid 
winter  day. 

The  12th  and  highest  floor  of  The 
Genzyme  Center  will  become  executive  offices 
and,  in  a  somewhat  democratic  gesture  typical 
of  Termeer,  the  company  cafeteria.  David  Vro- 
man,  who  works  for  the  contractor,  Turner 
Construction,  is  with  us.  “I’ve  never  worked  on 
a  building  like  this,”  Vroman  says,  leading  us 


“And  I’ll  probably  never  do  another  building 
like  this  again.  This  is  a  landmark  job.” 

Beyond  the  low  wall  is  the  building’s  inte¬ 
rior  signature:  a  yawning  atrium  that  reaches 
from  the  ground  level  to  the  skylight  above  our 
heads.  Randomly,  sections  of  floors  below  us 
jut  into  the  open  space,  disrupting  the  atrium’s 
basic  triangular  shape.  Still,  you  can  see  past 
all  that  straight  down  to  ground  level— a  semi¬ 
public  area  with  retail  shops,  a  large  pool  of 
water  dotted  with  fountains  and  a  cafe  set  on 
an  oblong  concrete  slab  known  affectionately 
by  the  contractors  as  “the  Potato.” 


38  www.csoonline.com  May  2003 


From  the  12th  floor  looking  down,  it’s 
nearly  impossible  to  envision  all  of  this 
because  the  atrium  is  filled  with  crisscrossed 
scaffolding.  Soon  enough,  it  will  be  filled  with 
crisscrossed  light. 

Picture  this:  A  prismatic  array  will  sit  under 
the  skylight  and  capture  diffuse  light  but 
deflect  heat.  The  light  will  hit  seven  heliostats 
(10-foot  square  mirrors)  hanging  from  the 
ceiling.  The  heliostats,  controlled  by  comput¬ 
ers,  will  move,  almost  imperceptibly,  with  the 
day  and  with  the  seasons  to  capture  the  most 
light  possible.  Some  of  the  light  will  be  relayed 
to  the  pool  of  water,  which  is  polished  stain¬ 


less  steel,  essentially  an  oversize  cake  pan. 
More  of  the  light  will  be  dispatched  to  19  mir¬ 
ror  clusters  throughout  the  atrium,  each  con¬ 
taining  seven  reflective  surfaces,  and  each  of 
those  surfaces  multifaceted.  The  clusters  will 
redirect  shafts  of  light  toward  dark  corners  of 
the  atrium  to  brighten  them.  Whatever  light 
is  left  is  show  business:  It  gets  sent  to  reflect¬ 
ing  prisms,  basically  chandeliers,  that  toss 
pretty  designs  against  the  walls. 

“It’s  going  to  be  something  else,”  project 
manager  Gordon  Brailsford  says  with  a  fair  bit 
of  pride.  “I’ve  been  told  not  to  be  surprised  if 
Hollywood  calls  to  shoot  movies  here.” 


I  V/UI  lUCluvl  1  Kent  was  direc¬ 
tor  of  corporate  security  at  BBN  Technolo¬ 
gies  eight  years  ago  when  Genzyme,  then  an 
adolescent  biotech  company  specializing  in 
developing  drugs  for  rare  genetic  diseases, 


May  2003 


www.csoonune.com 


“The  building  is  going  to  attract  attention,” 
Kent  says,  pondering  the  security  risk  posed 
by  a  Hollywood  crew  skulking  around  at  all 
hours  or  by  a  corporate  function  hosted  in  the 
atrium.  As  with  the  glass  exterior,  one  man’s 
gorgeous  aesthetic  statement  is  another’s  risk 
management  question. 


Cover  Story  |  Security  by  Design 


hired  him  (he  has  since  added  vice  president 
to  his  card).  Not  long  before  Kent  was  hired, 
some  intellectual  property  had  gone  missing 
at  Genzyme. 

Kent  has  a  security  professional’s  line¬ 
backer  mentality,  but  it’s  as  if  he’s  playing 
touch  football.  Which  isn’t  necessarily  a  bad 
thing.  In  fact,  none  of  the  cliches  about  secu¬ 
rity  guys  fits  Kent,  save  the  fact  that  he  owns 
a  black  leather  jacket  and  on  the  bookshelf  in 
his  office  are  volumes  such  as  The  World’s 
Most  Dangerous  Places  and  Germs.  In  the  con¬ 
text  of  his  role  at  Genzyme,  both  are  refer¬ 
ence  books.  Flawless  Consulting  is  for 
professional  development.  He  is  tall,  quiet 
and  affable  in  such  a  way  that,  after  he  disci¬ 
plines  you  for  some  boneheaded  security  gaffe, 
you  just  might  want  to  thank  him. 

He’d  never  say  it,  but  he  probably  wasn’t 
surprised  by  the  intellectual  property  theft. 
Upon  arrival,  Kent  found  a  company  with  13 
different  access  systems  and  dozens  of  people 
authorized  to  give  out  access  credentials.  So, 


first  off,  he  eliminated  12  of  those  systems  in 
favor  of  one,  which  provided  some  dramatic 
ROI  and  quickly  validated  why  he  was  hired 
in  the  first  place. 

But  Kent  took  the  job  with  grander  ambi¬ 
tions.  He  took  the  job  because,  as  he  says, 
“this  is  much  more  fun  than  an  old  company 
where  the  walls  are  up  already.”  He  knew  Gen¬ 
zyme  was  growing,  and  he  wanted  to  broadly 
affect  its  growth.  He  wanted  security  to  be 
integrated  into  every  aspect  of  that  growth- 
hiring,  partnering  and  building.  His  plan  was 
no  less  ambitious  than  to  get  every  employee 
thinking  about  security  intrinsically.  He 
wanted  security  to  be,  as  he  puts  it,  “the  ugly 
little  tugboat  that  turns  the  Queen  Mary.” 

That  wasn’t  easy,  but  it  also  wasn’t  impos¬ 
sible.  After  all,  Genzyme  hired  Kent  because  of 
a  major  security  breach.  Clearly,  the  company 
would  invest  in  preventing  another  such  dis¬ 
aster  (stealing  intellectual  property  from  a 
biotech  company  is  like  stealing  money  from  a 
bank,  only  worse;  ideas  about  howto  cure  rare 


diseases  aren’t  replaced  as  easily  as  cash).  Then 
again,  security  awareness  has  a  half-life.  The 
further  an  incident  recedes  into  the  past,  the 
harder  to  keep  executives’  collective  attention. 

In  hindsight,  Kent  says  he  didn’t  realize 
how  ambitious  a  plan  he  had  crafted.  “For  me 
it  was  like  merging  onto  a  freeway,”  he  says. 
“First  you’re  thinking,  Jeez,  these  cars  are 
going  fast.  Then  you’re  in  traffic  but  you’re 
still  going  slower  than  everyone  else.  Eventu¬ 
ally,  you’re  part  of  the  flow.”  It  took  Kent  two 
years  to  make  security  an  integral  part  of 
Genzyme’s  culture. 

“Now,  we  have  our  own  layer  in  the  blue¬ 
prints,”  Kent  said  the  day  he  spread  the  plans 
across  his  desk.  They  are  labeled  Genzyme 
Confidential— another  standard  that  Kent  cre¬ 
ated— which  means  contractors  must  adhere 
to  Genzyme’s  security  standards.  A  security 
staffer  attends  weekly  construction  and  archi¬ 
tect’s  meetings.  And  Kent  provides  input  into 
every  phase  of  the  project,  including  IS  (he 
pulled  that  tactical  discipline  under  his 
purview  too).  Brailsford  says,  “I  could  not 
envision  doing  a  project  that  didn’t  have  secu¬ 
rity  integrated  from  day  one.” 


e  CEO 

irmeer 

design 

the 

it.” 


Superstructure  From 

day  one,  when  Kent  set  out  to  integrate  secu¬ 
rity  into  The  Genzyme  Center  plans,  he  started 
from  as  deep  inside  the  organization  as  he 
could  get.  He  sanitized  blueprints 
because  some  are  public  docu¬ 
ments  filed  with  the  city.  It  doesn’t 
make  sense,  for  example,  to  identify 
labs  and  their  purpose.  He  pushed 
for,  and  got,  a  lecture  hall  designed 


40  www.csoonline.com  May  2003 


with  pure  acoustics.  That  way,  he  can  dis¬ 
courage  the  use  of  wireless  microphones, 
which  can  transmit  up  to  a  mile.  If  someone 
absolutely  needs  a  microphone,  it  can  be 
encrypted  using  technology  developed  for  the 
National  Football  League  that  allows  coaches 
to  talk  to  quarterbacks  while  keeping  the  other 
team  from  intercepting  anything  (but  passes). 

The  architects’  design  didn’t  separate  the 
first  floor’s  semipublic  space  from  Genzyme’s 
second  floor  lobby.  In  fact,  in  an  early  design, 
the  architects  wanted  to  add  doors  into  the 
atrium,  which  Kent’s  IS  officer,  Bhavesh  Patel, 
describes  as  a  nightmare.  “Imagine  your  house 
has  two  doors  that  are  locked  and  then  you 
add  20  wide-open  doors,”  says  Patel.  Kent 
inserted  an  access  point  to  divide  Genzyme’s 
space  from  the  public  space. 

He  also  went  outside  the  organization.  He 
talked  to  security  heads  at  businesses  in  the 
area.  He  asked  about  their  policies  and  pro¬ 
posed  possible  collaboration— neighborhood- 
watch  style.  He  went  on  his  spotting  scope 


Heliostats,  like  the  ones  shown 
below  (large  photo),  will  move  with 
the  seasons  to  redirect  the  light 
they  capture  through  the  glass  roof 
(inset).  At  ground  level  (right)  is  a 
semipublic  area  with  retail  shops, 
fountains  and  a  cafe  set  on  an 
oblong  concrete  slab  known  as 
“the  Potato.” 


trips,  mapping  out  the  vulnerable  sight  lines. 

The  architects’  glassophilia,  which  led  to 
Kent’s  spying  on  his  own  facility,  is  starkly  on 
display  when  we  get  to  the  seventh  floor.  Here, 
the  exterior  glass  windows  and  clear-walled 
offices  absorb  so  much  sunlight  that  artificial 
lights  would  be  feeble. 

The  building  itself  will  know  this,  at  certain 
hours.  The  Genzyme  Center  will  employ  a  rel¬ 
atively  cunning  environmental  control  sys¬ 


tem.  (The  building  is  likely  to  receive  a  “plat¬ 
inum”  environmental  rating,  the  highest 
attainable  under  the  comprehensive  Leader¬ 
ship  in  Energy  and  Environmental  Design 
rating  system  managed  by  the  U.S.  Green 
Building  Council.  Even  if  The  Genzyme 
Center  doesn’t  hit  the  mark,  it  will  be  one  of 
the  greenest  commercial  buildings  in  North 
America.)  The  building  will  know  when  to 
open  the  windows.  And  if  it  starts  raining,  it 
will  close  them.  If  it’s  bright  outside,  the  build¬ 
ing  will  open  shades  and  turn  off  the  (motion- 
activated)  lights.  It  will  also  monitor  humidity 
to  gauge  the  need  for  air-conditioning. 

“It  does  all  this  without  thinking  about  secu¬ 
rity,”  Kent  says,  “so  I’m  thinking  about  it.” 

A  pattern  was  emerging.  In  every  feature 


May  2003  www.csoonline.com  41 


Cover  Story  |  Security  by  Design 


Still  filled  % 
folding,  the 
will  eventuany 
prove  so  effulgent 
that  Hollywood  will 
come  calling. 


that  Brailsford,  the  architects,  the  CEO  or 
Vroman  from  the  contractor  described  with 
giddy  pride— the  glass,  the  atrium  and  the 
environmental  controls— Kent  found  vulner¬ 
ability.  Innately,  The  Genzyme  Center’s  design 
is  a  security  nightmare.  If  Kent  hadn’t  brought 
security  into  Genzyme’s  culture,  the  center 
probably  couldn’t  be  secured  at  a  reasonable 
cost  afterward,  if  at  all.  It’s  conceivable  to 
think  that  only  because  Kent  has  made  every¬ 
one  at  Genzyme  so  security-conscious,  includ¬ 
ing  the  CEO,  that  such  an  inherently  insecure 
design  could  be  approved. 

Patel  confirms  that  The  Genzyme  Center  is 
a  special  case.  ‘Typically,  we  try  to  work  within 
the  culture  of  the  company,”  Patel  says.  “With 
this  building,  the  culture  will  have  to  change.” 

The  most  obvious  manifestation  of  this  cul¬ 
tural  shift,  but  not  the  only  one,  is  a  clean 
desk  policy  Kent’s  team  is  developing.  It  will 
guide  employees  on  what  they  should  not 
leave  on  desks  or  computer  screens.  Kent  has 


considered  investing  in  whiteboards  with 
automatic  shutters.  He  will  not  be  shy  about 
enforcing  the  clean  desk  policy  through  spot 
checks  and  discipline.  When  Genzyme  moves 
the  more  than  900  crowded  employees  out 
of  their  current  home  down  the  road  at  the  old 
Boston  Woven  Hose  and  Rubber  Co.,  Kent 
will  start  to  change  their  behavior. 

Once,  when  Kent  talked  about  the  cultural 
shift  he’s  about  to  foist  on  his  company,  he 
said  it  was  about  communicating  trust  and 
value.  “It’s  a  collaborative  approach,”  he  said. 
“If  they  trust  you  and  you  communicate  value, 
you  get  your  way.”  Remembering  his  collec¬ 
tion  of  books,  I  briefly  wondered  if  this  came 
from  Flawless  Consulting. 

Another  time,  he  called  his  philosophy 
CPP— his  own  acronym  for  Continuous  Pro¬ 
fessional  Pressure.  This  time,  he  sounded 
much  less  like  a  consultant  and  much  more 
like  a  tugboat  captain.  “Apply  the  right  pres¬ 
sure  at  the  right  points,  and  you  can  turn  a 


huge  ship,”  he  said.  “A  small, 
determined  group  can  move  a 
much  larger  organization.” 

The  fact  Kent  has  kept  continuous  pres¬ 
sure  on  Genzyme’s  brain  trust  for  eight  years 
now  is  something  in  itself.  “I  wanted  to  create 
parallel  growth  between  our  group  and  the 
company,”  Kent  says.  “Security  falls  apart  over 
time  for  a  lot  of  reasons.  Sometimes  the  secu¬ 
rity  team  gets  tunnel  vision  and  asks  for  too 
much,  or  nothing  happens  for  so  long  that 
everyone  lets  their  guard  down.  Keeping  the 
growth  parallel  hasn’t  been  easy.” 

In  fact,  it  is  so  hard  to  keep  the  security 
goals  mostly  parallel  to  the  business  ones  that 
Kent  says  he  is  proudest  of  the  fact  that  he  has 
managed  to  do  so. 

Construction 

some  of  the  ways  Kent  integrated  security  into 
the  physical  construction  of  The  Genzyme 
Center:  He  created  a  universal  card  access 
system  and  linked  it  to  the  garage  and  then 
put  surveillance  at  every  access  point.  That 
helps  to  prevent  one  of  the  most  common 
security  problems,  “tailgating”— when  one 
person  accesses  a  facility  and  holds  the  door 
open  for  another  person.  Kent  integrated  the 
motion-light  system  with  security  so  that  if  a 
light  is  activated  at,  say,  2  a.m.,  it  triggers  an 
alarm.  He  infused  the  glass  with  break  sen¬ 
sors,  and  he  employed  a  limited  number  of 
biometric  access  systems  (thumbprint  read¬ 
ers)  for  highly  sensitive  lab  areas. 

In  the  smooth  concrete  support  columns 
throughout  the  building,  if  you  look  closely, 
you’ll  see  two  holes  at  various  levels.  Like 


42  www.csoonline.com  May  2003 


Down  here,  the  glass  is 
terrific,  hugewindowpanes 
that  allow  the  outside 
world  and  the  inside  world 
to  commingle.  Almost. 


unblinking  eyes.  Which  are,  in  fact,  what  they 
will  become.  Inside  the  columns  are  the  wiring 
systems  for  closed-circuit  cameras  that  will 
plug  into  the  support  columns.  Surveillance 
has  been,  literally,  built  in. 

All  of  those  features  will  link  to  the  room 
we’re  standing  in  now,  the  Security  Opera¬ 
tions  Center,  on  the  third  floor.  There  is  no 
glass  and  no  natural  light  in  this  room.  But 
when  it’s  finished  it  should  attract  as  much 
attention  from  security  professionals  as  the 
atrium  will  attract  from  Hollywood.  It  will 
look  like  any  operations  center,  with  screens 
at  the  front  of  the  room  and  four  “pods”  for 
staffers  facing  the  screens.  But  the  SOC  is  a 
jewel— the  ultimate  manifestation  of  Kent’s 
ambitious  security  plan  for  Genzyme.  It  is  one 
of  the  only  operations  centers  that  will  com¬ 
bine  physical  and  IT  security  in  one  space. 
Someone  here  will  watch  the  network  while 
someone  else  watches  for  intruders.  The  SOC 
will  interlock  with  other  Genzyme  facilities 
worldwide.  If  an  emergency  occurs,  redun¬ 
dant  controls  are  present.  A  security  team 
member  in  Ireland  can  switch  control  over  to 
Cambridge.  Cambridge  could  then  monitor 
and  control  systems. 

The  SOC  allows  Genzyme  to  provide  better 
security  with  fewer  staffers.  “It’s  just  good  risk 
management,”  Kent  boasts.  “Not  a  lot  of  peo¬ 
ple  are  combining  all  of  the  security  disci¬ 
plines  the  way  we  are.” 

But  in  Geel,  Belgium— where  another  Gen¬ 
zyme  facility  is  being  built— contractors 
recently  told  Kent  that  they  want  to  reduce 
their  project  expenses  by  putting  in  a  cheaper, 
noninterlocking  security  operations  center. 
“We  can’t  do  that,”  Kent  says.  He’s  already 


applying  a  little  CPP  in  Geel. 

“We’ll  turn  that  ship  before  they 
know  what’s  happened,”  he 
says,  and  then  suggests  a  tactic 
he  had  mentioned  on  a  previous 
visit.  “You  take  a  mostly  non- 
negotiable  position,”  Kent  says,  “and  give  the 
perception  that  there’s  a  negotiation.” 


Glass 


Finally,  we’ve  reached  the 
first  floor.  Even  though  scaffolding  fills  the 
space,  the  atrium’s  scope  starts  to  materialize. 
From  near  the  Potato,  we  spy  surveillance 
ports  in  another  support  column. 

Patel  says  not  only  do  architects  “go  ballis¬ 
tic”  when  you  want  to  tack  up  surveillance 
after  the  fact  (they  are,  after  all,  in  the  business 
of  aesthetics),  but  they’ll  make  you  buy  spe¬ 
cialized  conduit  to  match  color  schemes,  or 
they’ll  demand  you  find  a  way  to  hide  it— to  do 
what  Kent  designed  in  from  the  start.  At  any 
rate,  Patel  says,  “it  always  ends  up  costing 
more.”  Genzyme  understands  that.  Continu¬ 
ous  Professional  Pressure. 

Kent  walks  me  by  the  spot  where  an  access 
point  will  separate  Genzyme  from  the  public. 
To  go  back  and  retrofit  the  building  for  this, 
Brailsford  says,  “would  be  a  nightmare  and 
expensive  [see  “Hidden  Strengths,”  Page  44]. 
Dave  has  standards  for  entrance  and  egress, 
standard  door  hardware.  Adding  an  access 
point  later  doesn’t  make  sense.”  Genzyme 
understands  that  also.  Continuous  Professional 
Pressure. 

Of  course  there  is  glass  down  here  too. 
“Glass  is  the  building’s  signature,”  Kent  says, 
extraneously.  “It’s  everything.”  Down  here,  the 


glass  is  terrific,  huge  window- 
panes  that  allow  the  outside 
world  and  the  inside  world  to 
commingle.  Almost. 

Thinking  fairly  standardly, 
Kent  wanted  to  put  a  safety  film 
on  the  inside  of  the  glass  down  here,  which 
would  make  it  shatter  gracefully  during  events 
he’d  rather  not  talk  about.  (In  fact,  he  wanted 
a  polycarbonate  glass  with  an  even  higher  secu¬ 
rity  rating,  but  the  lesser  glass  had  already 
been  specified  and  ordered,  so  he  compro¬ 
mised.)  Or  as  he  put  it  to  the  architects— w7ho 
were  apoplectic  at  the  film  suggestion— he  was 
trying  to  stop  this  glass  from  ever  becoming  a 
thousand  shard  missiles. 

The  architects  made  Kent— or  thought  they 
made  Kent— dance  for  them.  He  had  to  show7 
them  mockup  panes  with  the  film  on  them. 
He  had  to  take  them  to  other  sites  that  use  the 
film  to  prove  it  wouldn't  change  the  overall 
aesthetic  of  the  glass.  He  had  to  build  a  case 
for  the  film. 

“We  didn’t  position  it  this  way,”  he  recalls, 
“but  leaving  the  glass  there  without  the  film 
was  something  we  weren’t  going  to  accept.” 

And  Genzyme  understands  that  too.  The 
film  is  going  on  the  glass.  Continuous  Profes¬ 
sional  Pressure.  ■ 

Senior  Editor  Scott  Berinato  can  be  reached  via  e-mail  at 
sberinatoicxo.com. 


Continuous  Professional  Pressure  (CPP)  is  one 
way  for  CSOs  to  exert  their  influence.  Visit 
CSOonline  s  STRATEGY  &  MANAGEMENT 
RESEARCH  CENTER  to  learn  about  other 

methods.  Go  to  www.csoonline.com/strategy. 


May  2003  www.csoonline.com  43 


Strengths 


DOES  SECURITY  HAVE  TO  BE  AS  UGLY  AS  A  JERSEY  BARRIER?  OR  CAN  IT  BE 
BOTH  EFFECTIVE  AND  ATTRACTIVE?  PLANNERS  IN  THE  NATION’S  CAPITAL 
ARE  PUTTING  WELL-DESIGNED  SECURITY  TO  THE  TEST. 

BY  DAINTRY  DUFFY 


The  stately  white  man¬ 
sion  at  1600  Pennsyl¬ 
vania  Avenue  has 
survived  fire,  scandal  and  an 
attack  by  the  British.  Someone 
even  crashed  a  small  plane  into 
its  facade.  All  the  while,  “Amer¬ 
ica’s  House”  has  sat,  just  yards 
away  from  its  citizens,  as  a  pow¬ 
erful  symbol  of  the  freedom  and 


IN  THIS  STORY:  How  the 

U.S.  government  is  replacing 
the  ugly  cement  barriers  that 
protect  its  monuments  and 
buildings  with  more  subtle  and 
secure  measures 

accessibility  of  democratic  gov¬ 
ernment.  But  in  recent  years,  a 
wave  of  security  threats  has 


added  layer  upon  layer  of  visual 
armor  to  the  grounds  and  sur¬ 
rounding  streets.  Now  the  once 
elegant  White  House,  like  much 
of  Washington,  D.C.,  resembles 
a  cluttered,  battle-weary 
fortress— apprehensive  and 
unreachable. 

But  even  as  security  threats 
continue  to  multiply,  signs  of  a 


L 


..  ..  J  it. - 


Ordinary  streetscape  fixtures  such  as 
lamps,  walls,  trash  cans  and  planters  will  be 
hardened  to  create  an  impermeable  buffer 
between  the  street  and  the  buildings.  Such 
elements  can  be  spaced  and  varied  to  give 
the  street  a  natural  rhythm. 


JUULi  ..JH3L 


more  touchable  terrain  are 
emerging  in  Washington.  A  new 
initiative  spearheaded  by  the 
National  Capital  Planning  Com¬ 
mission  (NCPC)  is  putting  for¬ 
ward  the  almost  treasonous  idea 
that  security  and  historic  urban 
design  can  coexist— even  com¬ 
plement  one  another.  The  com¬ 
mission’s  $878  million  “Urban 
Design  and  Security  Plan” 
focuses  on  restoring  the 
beauty,  grandeur  and 
accessibility  to  areas  such 
as  the  White  House,  the 
Washington  Monument 
and  the  Federal  Triangle, 
which  all  have  been 
blighted  by  jersey  barri¬ 
ers  and  bollards  in  the 
recent  “siege-chic”  approach  to 
security.  The  plan  solicits  pro¬ 
posals  for  ways  to  build  security 
into  the  landscape  in  subtler 


44  www.csoonline.com  May  2003 


PHOTOGRAPHY  BY  WALTER  CALAHAN;  ILLUSTRATIONS  COURTESY  OF  NCPC 


IN  THE  SUMMER  OF  2002,  the  National  Capital  Planning 
Commission  (NCPC)  selected  Michael  Van  Valkenburgh 
Associates  in  Cambridge,  Mass.,  to  create  a  plan  for  the 
area  in  front  of  the  White  House.  Van  Valkenburgh’s 
proposal— which  the  NCPC  unanimously  approved  in 
March  2003— takes  the  currently  barren  area  and  turns  it 
into  a  tree-lined  pedestrian  boulevard  of  crushed  granite 
that  would  maintain  the  same  security  perimeter  currently 
lined  with  jersey  barriers.  Instead  of  concrete  slabs,  the 
ends  of  the  street  would  be  marked  with  a  mix  of  specially 
designed  retractable,  removable  and  fixed  cast-iron 
bollards.  The  plan  calls  for  replacing  concrete  bollards  in 
front  of  the  White  House  with  groupings  of  trees  to  accent 
the  vista,  and  putting  several  small  guard  booths  designed 
to  match  the  style  of  the  White  House  fence  beneath  the 
trees.  The  new  design  preserves  the  current  levels  of 
security  around  the  building,  while  turning  the  avenue  into 
a  place  where  people  will  feel  comfortable  celebrating  and 
admiring  the  White  House’s  beauty  and  grandeur.  The 
work  will  be  completed  in  time  for  the  2005  inaugural 
parade.  Of  the  $6.1  million  Congress  has  allocated  to  the 
project,  it  has  designated  $2.8  million  to  complete  the 
planning  and  design  of  the  area.  An  additional  $15  million 
for  construction  is  in  the  president’s  2004  budget. 


ways  that  still  provide  an  obvi¬ 
ous  deterrent  to  a  terrorist  but 
become  virtually  invisible  to  the 
average  visitor. 

The  concentration  of  high- 
risk  iconography  in  such  a  small 
area  makes  Washington  the 
ideal  test  bed  for  what  security 
and  landscape  design  can  achieve 
together.  But  the  NCPC’s  project 
is  about  a  lot. more  than  urban 
beautification.  It’s  founded  on 
the  notion  that  security  doesn’t 
have  to  look  and  feel  so  oppres¬ 
sive.  Since  the  Sept.  11  attacks, 
so  many  of  the  security  meas¬ 
ures  at  airports,  national  land¬ 
marks  and  public  gathering 
places  that  are  aimed  at  making 
citizens  safer— or  at  least  mak¬ 
ing  Xhemfeel  safer— have  had 
the  opposite  effect.  How  many 
people  truly  feel  reassured  by 
the  sight  of  an  antiaircraft  mis¬ 
sile  launcher  parked  next  to  the 
Washington  Monument? 

“The  fundamental  paradox  in 
security  is  that  it  seldom  makes 
you  feel  secure,”  says  Richard 
Farson,  president  of  the  West¬ 
ern  Behavioral  Sciences  Insti¬ 
tute.  “When  you  have  armed 
guards  going  through  baggage 
at  the  airport  and  the  govern¬ 
ment  is  issuing  alerts,  people 
become  very  anxious  and  afraid. 
But  safety  measures  can  be 
unobtrusive.  People  don’t  even 
have  to  know  they  exist.” 

Good  security— and  by  that 
we  mean  the  measure  most  likely 
to  prevent  a  breach— is  about 
balancing  the  visible  and  the 
invisible;  deterring  the  criminal 
without  scaring  off  the  public  at 
large.  That’s  the  real  challenge 
of  the  work  currently  being  done 
in  the  nation’s  capital.  And  the 
success  or  failure  of  that  effort 
will  have  a  tremendous  impact 
on  everyone’s  collective  expecta¬ 
tions  for  how  security  should 
look  and  feel  in  the  future. 


SINCE  1998,  JERSEY  barriers  have  ringed 
the  Washington  Monument,  and  recently  a 
temporary  security  screening  post  has 
been  added  to  the  site.  But  a  new  plan 
developed  by  the  Olin  Partnership  design 
firm  headquartered  in  Philadelphia  would 
do  away  with  the  temporary  barriers  and 
instead  replace  them  with  two  sunken 
stone  walkways  that  would  encircle  the 
monument.  The  three-foot  drop  in  each 
walkway  would  prevent  a  vehicle  from 
approaching  the  monument,  but  unlike 
the  jersey  barriers  and  crowd-control 
fencing,  the  walkways  would  be  invisible 
from  a  distance.  Visitors  to  the  monument 
would  enter  a  nearby  lodge  to  access  a 
400-foot-long  tunnel  leading  to  the 
monument.  The  current  screening  center 
would  be  replaced  by  a  skylit  underground 
visitor  center  where  people  would  go 
through  a  security  check  before  accessing 
the  elevator  up  to  the  monument. 


46  www.csoonline.com  May  2003 


Security  by  Design 


THE  BOLLARDIZATION  OF  D.C. 

It’s  been  said  that  if  you  had  a 
dollar  for  every  bollard  in  Wash¬ 
ington,  you’d  be  pretty7  flush. 

But  those  squat,  reinforced  con¬ 
crete  posts  that  dot  the  entries 
to  forbidden  roadways  now 
share  the  city’s  streetscape  with 
still  uglier  jersey  barriers  and 
oversized  concrete  planters.  The 
security  threats  of  the  past  year 
and  a  half  have  certainly  elicited 
a  noticeable  buildup  in  street- 
side  fortifications,  but  the 
changes  to  the  city’s  landscape 
have  actually  happened  more 
gradually. 

“Security  creep”  is  how  one 
Washington  insider  puts  it. 
“Over  the  last  15  years,  more 
and  more  security  devices  have 
been  employed  in  a  helter- 
skelter  fashion  without  any 
coordination  or  careful  thinking 
about  the  impact,”  says  Richard 
Friedman,  whom  President 
Clinton  appointed  in  2000  to 
chair  the  NCPC’s  interagency 
task  force  on  security  design. 

In  the  early  1990s,  lines  of 
thick  cement  bollards  were 
erected  like  giant  teeth  along 
the  Pennsylvania  Avenue  curb, 
presenting  a  stark  contrast  to 
the  graceful  Federalist  style 
White  House  fence  behind 
them.  Security  was  ratcheted  up 
again  after  the  Oklahoma  City 
bombing,  when  Pennsylvania 
Avenue  was  closed  to  traffic, 
creating  a  vast  concrete  no¬ 
man ’s-land  bordered  by  jersey 
barriers  and  makeshift  guard¬ 
houses.  The  White  House 
answered  public  protest  of  the 
changes  with  promises  to  seek 
more  aesthetically  pleasing 
long-term  solutions.  But,  pre¬ 
dictably,  those  initiatives 
eventually  became  bogged  down 
in  Washington  bureaucracy. 

Then  came  September  11. 

At  the  White  House— and 


elsewhere  in  and  around  Wash¬ 
ington— bollards,  planters, 
jersey  barriers,  metal  crowd- 
control  stands  and  even  sewer 
pipes  sprouted  as  omnipresent 
street  fixtures.  They  were  piled 
haphazardly  along  curbs,  in 
thoroughfares,  across  sidewalks 
and  in  front  of  steps  in  a  pan¬ 
icked  effort  to  protect  vulnera¬ 
ble  buildings  and  historic 
monuments  from  the  threat  of 
bomb-laden  vehicles,  the  deliv¬ 
ery  method  of  choice  for  the  vast 
majority  of  terrorist  attacks. 


Although  some  of  these  barriers 
create  a  necessary  distance 
between  vulnerable  buildings 
and  the  roads  nearby,  many 
have  been  plopped  on  random 
street  corners  where  they  seem¬ 
ingly  protect  nothing,  or  in  front 
of  sculptures  and  buildings  that 
are  unlikely  targets  for  terror¬ 
ism.  “In  the  short  term,  [the 
buildup]  is  understandable, 
even  laudable,”  says  Martha 
Droge,  a  landscape  designer  and 
urban  planner  with  Ayers,  Saint, 
Gross  in  Baltimore.  “[The  gov¬ 
ernment]  threw  as  many 
resources  as  it  could  manage  at 
the  problem,  but  doing  so  sent  a 


poor  message  to  visitors  about 
our  quality  of  life  and  sense  of 
confidence  in  the  country.” 

In  typical  Washington  style, 
the  degree  of  visible  security 
protection  outside  a  building 
has  even  become  a  bit  of  a  status 
symbol.  “I  don’t  know  whether 
the  Agriculture  Department 
needs  to  be  totally  fortified,” 
muses  noted  architect  Arthur 
Cotton  Moore,  who  has  protested 
the  security  blockades  that  have 
sprung  up  around  the  city.  “Ter¬ 
rorism  is  a  PR  effort;  [terror- 


Fortified  fixtures  such  as  bus  stops 
and  lamps  can  coexist  with  the  city’s 
natural  greenery  to  create  useful 
and  attractive  spaces. 

ists]  are  going  to  go  after  the 
most  dramatic  thing  they  can 
hit— which  is  probably  not  the 
Department  of  Health  and 
Human  Services.” 

However,  the  overreaction  to 
the  terrorism  threat  did  have 
one  positive  result:  It  infused 
with  new  energy  the  campaign 
for  a  more  sensible  and  discreet 
approach  to  security  design  in 
Washington.  In  November 
2001,  for  example,  the  NCPC 


task  force  released  a  series  of 
recommendations  for  improving 
security  and  urban  design  in  the 
city’s  Monumental  Core,  and 
followed  that  up  with  a  compre¬ 
hensive  plan  for  achieving  those 
recommendations  in  October 
2002.  For  Friedman,  the  key  to 
breaking  through  the  bureau¬ 
cracy  was  getting  all  the  various 
stakeholders  including  the 
Secret  Service,  FBI  and  CIA 
together  in  one  room  and  get 
them  talking  in  a  confidential 
setting.  “It  was  a  matter  of  ask¬ 
ing  them,  What  are  you  afraid 
of?”  says  Friedman,  and  then 
stepping  back  and  deciding  how 
to  design  for  those  fears.  The 
task  force  provided  its  recom¬ 
mendations  to  landscape  archi¬ 
tecture  companies  and  asked 
them  to  submit  proposals  for 
many  of  the  city’s  famous  sites. 

MOATS  ARE  BACK 

At  a  time  when  physical  security 
is  increasingly  a  technology- 
driven  function,  it’s  interesting 
to  note  that  many  of  the  innova¬ 
tive  landscape  security  design 
proposals  are  distinctly  medieval 
in  concept.  For  example,  the 
sunken  walkways  that  will  sur¬ 
round  the  Washington  Monu¬ 
ment  are  derived  from  old 
agricultural  devices  called  ha- 
has.  Historically,  landowners 
used  these  walled  ditches  to 
keep  the  animals  on  their  prop¬ 
erty  from  reaching  the  house 
without  disturbing  the  land¬ 
scape’s  visual  continuity.  From  a 
distance,  the  ditches  aren’t  even 
visible.  Another  design  that  has 
been  given  new  life  by  security- 
minded  landscape  architects  is 
the  tank  trap,  a  low  ditch  that 
prevents  small  and  large  vehi¬ 
cles  from  reaching  a  building. 
Frequently  they  are  filled  with 
water  to  provide  an  attractive 
feature  on  a  property  (you  might 


May  2003  www.csoonline.com  47 


Security  by  Design 


Long,  low  planters  can  function  as 
seating  areas  and  decorative  elements 
as  well  as  security  walls. 


ferent  approach  to  hardening 
the  perimeter— some  sidewalks 
are  bordered  by  a  thick  wall  of 
planters,  and  others  have  mixed 
bollards  and  metal  fencing.  The 
effect  of  this  individualized 
approach  to  security  is  quite  jar¬ 
ring  for  the  average  pedestrian. 
“Imagine  if  the  Champs  Elysee 
were  designed  by  every  cafe 
owner,”  says  Friedman.  “It’s  one 
thing  to  have  subtle  differences, 
but  the  basic  urban  fabric  has  to 
be  coordinated.” 

In  an  effort  to  ensure  that  the 
streets  make  sense  again,  the 
NCPC  is  proposing  that 
improvements  be  undertaken  in 
a  centralized  fashion.  Instead  of 
everyone  creating  his  own 
perimeter  security  solution, 
Friedman  is  tackling  the  politi¬ 
cal  challenge  of  getting  the 
White  House  to  move  the  secu¬ 
rity  budgeting  for  all  the  differ¬ 
ent  buildings— from  the 
Treasury  and  Justice  depart¬ 
ments  to  the  IRS— into  a  central 
budget  that  will  pay  for  and 
implement  street  site  security. 
The  NCPC  is  looking  into  hard¬ 
ening  common  items  like  street¬ 
lights,  low  walls,  planters, 
fencing  and  seating  that  can 
then  be  applied  to  the  street  in  a 
more  natural  fashion.  Like  a 
dental  implant,  these  street  fix¬ 
tures  would  be  rooted  in  heavy 
steel  moorings  underneath  the 
surface  and  could  be  reinforced 
to  a  greater  or  lesser  degree 
depending  on  the  security 


requirements  that  the  General 
Services  Administration  has  set 
for  each  federal  building.  “Ordi¬ 
nary  street  furniture— water 
fountains,  newspaper  stands, 
telephone  booths— can  be  used 
as  effectively  as  a  blob  of  con¬ 
crete,”  says  Friedman.  “Even  a 
properly  selected  tree  can  be  a 
fabulous  defensive  mechanism.” 

But  to  date,  the  city’s  trees 
have  been  among  the  most 
noticeable  victims  of  the  secu¬ 
rity  buildup.  Verdant  avenues 
and  promenades  that  once  gave 
Washington  so  much  of  its  nat¬ 
ural  beauty  and  identity  have 
been  felled  in  the  name  of 
national  defense.  At  the  Capitol 
building  last  year,  68  trees  from 
the  city’s  historic  landscape 
design  were  chopped  down  to 
create  an  access  point  for  a  new 
underground  bunker  and  visitor 
center  built  beneath  the  Capitol. 
Jeff  Lee,  principal  with  land¬ 
scape  architecture  firm  Lee  & 
Associates  in  Washington,  D.C., 
argues  that  the  cost  of  security 
should  be  weighed  not  just  in 
dollars  but  for  its  cultural 
impact  as  well.  “It’s  like  the 
MasterCard  ad,”  he  says.  “A 
commercial  steel  bollard: 
$3,000.  A  concrete  footing: 
$20,000.  The  60-year-old 
American  elm  that  graces  Inde¬ 
pendence  Avenue:  priceless.” 

The  resurrection  of  greenery 
in  Washington  can  be  found  in 
the  Van  Valkenburgh  design  for 
Pennsylvania  Avenue.  It’s  a 


recognize  the  concept  as  a  moat). 

Dennis  Carmichael,  a  land¬ 
scape  architect  with  Edaw  in 
nearby  Alexandria,  Va.,  used  a 
similar  strategy  in  several  spots 
including  Capital  One’s  new 
headquarters  in  Richmond,  Va. 
At  that  site,  an  18-inch-deep 
depression  surrounds  an  outdoor 
dining  terrace  where  it  enhances 
security  without  obstructing  the 
landscape.  “Security  does  not 
have  to  be  ugly,  and  it  doesn't 
have  to  look  heavy  or  dense  and 
fortress-like,”  says  Carmichael. 
“It  can  look  lightweight  and  rea¬ 
sonably  transparent.  I  believe 
[tank  traps]  are  going  to 
become  quite  standard.” 

COORDINATING  THE  FABRIC 

In  parks  and  at  monuments, 


architects  may  be  able  to  dis¬ 
guise  security  within  the  natural 
landscapes,  but  along  Washing¬ 
ton’s  busy  streets,  the  challenge 
is  greater.  Many  federal  build¬ 
ings  sit  just  feet  away  from  the 
curb,  where  they  have  very  little 
setback  to  cushion  the  impact  of 
a  truck  bomb.  And  any  blast 
consultant  will  confirm  that 
every  single  foot  of  distance  that 
a  building  can  put  between  its 
facade  and  a  bomb  blast  makes 
a  huge  difference  in  terms  of 
structural  damage  and  lives 
lost.  As  a  result,  streetscape 
furnishings— planters  and 
benches— that  would  normally 
be  found  next  to  doors  have 
been  placed  instead  in  long 
monotonous  rows  along  curbs. 
Each  building  has  taken  a  dif¬ 


48  www.csoonline.com  May  2003 


Planters  am 
removable 
bollards 


Stone  bollards 
(across  steps) 


wonderful  example  of  balancing 
security  measures  with  aesthet¬ 
ics  (for  more  on  this,  see  “The 
Architect,”  Page  36).  Part  of  the 
NCPC’s  plan  for  the  rest  of  the 
city  is  to  surround  trees  with 


hardened  street  furnishings  and 
place  posts  around  some  tree 
pits  to  give  added  protection. 

But  in  weighing  the  threat  of 
terrorism  against  all  the  costs  of 
hardening  and  protecting  a 


TO  HARDEN  THE  PERIMETER  against  vehicles,  the 
National  Park  Service  has  proposed  building  a  low 
plinth  wall  to  encircle  the  mound  on  which  the 
memorial  sits.  The  material  and  finish  of  the  wall  will 
match  the  memorial’s  marble  and  limestone  exterior. 
Stainless  steel  retractable  bollards  will  allow  occa¬ 
sional  vehicular  access  from  the  road  to  the  memo¬ 
rial  for  special  events.  Granite  bollards,  planters  and 
benches  will  complete  the  circle,  running  around  the 
front  of  the  building  and  across  the  steps  to  create  a 
secure  perimeter  while  permitting  easy  access  to  the 
site  for  pedestrians.  To  make  the  wall  look  natural 
and  to  add  an  additional  level  of  protection,  the 
grassy  slope  inside  the  perimeter  will  be  regraded 
and  new  sod  will  be  put  down. 


building  or  monument,  the 
landscape  architects  and  secu¬ 
rity  experts  are  floating  around 
another  somewhat  treasonous 
idea— that  is,  to  do  nothing. 
While  Moore  notes  that  areas 
such  as  the  White  House  and 
Capitol  must  be  secured,  he 
scoffs  at  the  notion  that  every 
monument  and  memorial 
should  receive  the  same  treat¬ 
ment.  “People  don’t  live  and 
work  in  them,”  he  says.  “They 
are  objects.  And  if  they  are  dam¬ 
aged,  we  can  build  them  back. 

“There’s  a  very  low  percent¬ 
age  of  possibility  that  somebody 
would  attack  the  Jefferson 
Memorial,  but  there  is  a  100 
percent  certainty  that  all  these 
things  we’re  putting  in  will  dis¬ 
figure  it,”  he  adds.  “We  shouldn’t 
be  shooting  to  be  totally  safe. 
Total  safety  is  an  illusion.” 

While  architects  and  security 
experts  agree  that  a  middle 
ground  between  safety  and  aes¬ 
thetic  beauty  does  indeed  exist, 
the  challenge  of  reaching  it  in 
Washington’s  fickle  political 
climate  is  far  from  over.  With  a 
great  deal  of  government 


bureaucracy  still  to  wade 
through,  Washington  denizens 
may  have  to  live  with  the  barri¬ 
cades  a  while  longer.  But  the 
NCPC  hopes  that  when  its  secu¬ 
rity  design  work  in  Washington 
is  finally  completed,  the  result 
will  be  a  teaching  tool  for  public 
and  private  institutions  around 
the  country.  “A  fish  stinks  from 
the  head,”  says  Friedman.  “If  we 
can  show  others  how  to  [imple¬ 
ment  security]  properly  and 
beautifully  in  Washington,  that 
will  have  a  huge  ripple  effect.”  If 
the  project  is  a  success,  it  will 
stand  as  an  example  of  how 
much  can  be  achieved  when 
security,  design  and  common 
sense  come  together.  ■ 

Senior  Editor  Daintry  Duffy  can  be  reached 
via  e-mail  at  dduffy  ? cxo.com. 


Do  jersey  barriers  and  other 
highly  visible  fortifications  make 
people  feel  more  secure  than 
having  more  subtle  forms  of 
security?  Go  online  and  tell  us 
what  you  think.  Type  the  DocID 
number  (1215)  into  the  search 
box  to  post  a  comment  at 
www.csoonline.com. 


May  2003  www.csoonline.com  49 


Plinth  walls 


If  you  don’t  have  a  clear  cyberincident 
response  plan  in  place,  you  risk  millions  of 
dollars  in  lost  productivity  and  revenue 

By  Simone  Kaplan 


50  www.csoonline.com  May  2003 


ERE  THERE  A  COMPUTER 

Incident  Hall  of  Fame,  you  could  probably 
imagine  strolling  the  halls  and  browsing 
through  exhibits  of  history’s  most  dynamic 
electronic  viruses  and  worms— the  villains 
whose  names  have  sent  shivers  down  the  spine 
of  any  security  expert  equipped  with  a  decent 
memory:  The  Morris  Worm,  Melissa,  Nimda, 
Code  Red,  LoveLetter,  Klez  and,  of  course, 
the  most  recent  inductee,  SQL  Slammer.  You 
might  also  see  some  of  the  more  notorious 
service  outages,  hacker  penetrations,  denials 
of  service,  malicious  e-mail  and  Internet 
attacks  on  display.  All  have  caused  varying 
degrees  of  chaos,  and  some  have  even  stopped 
businesses  in  their  tracks,  crippling  produc¬ 
tivity  and  costing  millions  of  dollars  in  lost 
commerce. 

Amd  yet  all  could  have  been  tamed.  Had 
someone  the  foresight  to  put  an  incident 
response  plan  in  place,  those  viruses  and 
worms  and  outages  and  attacks  might  not  be 
so  infamous  today. 

Of  course,  such  a  place  doesn’t  really  exist, 

IN  THIS  STORY:  Why  putting  together  an 
incident  response  plan  can  save  your  company 
money  ■  What  it  takes  to  create  the  plan 


but  the  threat  of  cyberattacks  does.  And  it’s 
growing  every  day,  due  in  part  to  the  wide¬ 
spread  use  of  e-mail  and  the  Internet.  Accord¬ 
ing  to  statistics  from  Carnegie  Mellon’s  CERT 
Coordination  Center  (CERT/CC),  the  num¬ 
ber  of  reported  cyberincidents  has  surged 
from  only  six  in  1988  to  a  whopping  82,000  in 
2002.  Despite  the  rising  threat,  however, 
CERT/CC  finds  that  most  CSOs  don’t  even 
think  about  their  response  to  an  incident  until 
after  they’ve  experienced  an  intrusion  of  some 
sort,  says  Chad  Dougherty,  an  Internet  secu¬ 
rity  analyst  at  CERT/CC.  “That’s  because  most 
companies  feel  relatively  safe.  They  believe 
that  the  hackers  won’t  target  them,  specifi¬ 
cally,”  he  says. 

But  they’d  be  wrong,  says  Dougherty.  The 
majority  of  computer  incidents  are  no  longer 
focused  on  a  particular  company.  “Most 
attacks  now  are  automated,”  he  says.  “They 
spread  with  the  intent  to  damage  everyone 
and  everything  they  can.” 

Clearly,  it’s  time  for  CSOs  to  come  to  terms 
with  the  need  for  response  planning.  “For  a 
long  time,  incident  response  meant  having  a 
loose  team  of  people  on  call  if  something  went 
wrong,”  says  Gene  Fredriksen,  vice  president 
of  information  security  at  Raymond  James 
Financial.  “Then  companies  started  getting 


hit  regularly,  and  I  think  CSOs  are  finally 
beginning  to  realize  that  incident  response  is 
not  optional.” 

Not  optional,  but  also  not  easy.  Even  a  well- 
prepared  CSO  knows  that  an  incident 
response  plan  can’t  keep  his  company  com¬ 
pletely  safe  from  attack— even  with  the  latest 
tools  for  intrusion  detection.  “There’s  just  no 
such  thing  as  zero  risk,”  says  Leslie  Macartney, 
CISO  for  Reuters.  “And  you  can’t  always  pre¬ 
dict  the  number,  nature  or  severity  of  the 
attacks.  But  incident  response  plans  are  nec¬ 
essary  because,  in  short,  no  matter  how  much 
you  try,  things  will  occasionally  go  wrong. 
Your  company  is  at  its  greatest  exposure  in  the 
time  between  when  an  incident  occurs  and 
when  the  containment  actions  are  com¬ 
pleted— that’s  when  most  of  the  damage 
occurs.” 

And  it’s  not  just  an  internal  matter,  says 
Macartney.  “Customer  confidence  can  be 
damaged  if  it  appears  the  company  has  been 
remiss  in  its  handling  of  security  events.  The 
company’s  reputation  could  be  at  stake.” 

But  you  can’t  protect  everything  completely, 
so  you  must  prioritize,  Macartney  adds.  By 
creating  a  specific  strategy'  that  states  what  to 
prioritize  and  how  to  react  if  an  incident  does 
happen— and  by  making  your  security  organ- 


May  2003  www.csoonline.com  51 


Cyberincident  Response 


ization  capable  of  detecting,  analyzing,  and 
responding  quickly  and  knowledgeably  to  an 
event— you  can  limit  the  damage  done  and 
lower  the  costs  of  recovery.  And  then,  by 
knowing  who  to  call  and  what  to  do  next,  you 
can  decrease  the  amount  of  time  it  takes  to 
recover  and  possibly  save  you  and  your  staff 
from  additional  disasters  along  the  way. 

"The  organizations  that  don’t  know  how  to 
respond  to  incidents  are  the  ones  that  will 
really  get  hurt,"  says  Kevin  Connell,  director  of 
information  security  for  the  shared  data  cen¬ 
ter  of  the  Securities  Industry  Automation 
Corp.,  which  runs  the  computer  systems  and 
communications  networks  of  the  New  York 
and  American  stock  exchanges.  “And  while 
it’s  hard  to  protect  against  something  you  can’t 
predict,  it’s  not  so  hard  to  react  decisively  in 
crisis  situations  once  you  have  a  plan  in  place 
and  a  procedure  to  follow.” 

Getting  Started 

When  thinking  about  incident  response  plan¬ 
ning,  remember  that  the  best  defense  is  a  good 
offense.  But  before  you  do  anything,  says  Ariel 
Silverstone,  CISO  at  Temple  University,  it’s 
important  to  define  the  nature  of  a  cyberat¬ 
tack.  That  way,  you  can  decide  what  consti¬ 
tutes  an  incident  for  your  company  (see 
“What’s  It  to  You?”  at  www.csoonline.com/ 
printlinks).  Generally  speaking,  a  computer 
incident  is  anything  that  potentially  compro¬ 
mises  the  confidentiality,  integrity  or  avail¬ 
ability  of  a  computer  system.  Sometimes  such 
incidents  can  be  real— like  a  service  outage. 
Other  times,  the  incident  is  merely  a  perceived 
attack— like  when  a  file  disappears  because 
an  employee  simply  moved  it  from  one  server 
to  another  without  telling  anyone. 

Drafting  the  response  plan  includes  four 
main  activities,  according  to  Kenneth  van 
Wyk,  coauthor  of  Incident  Response  and  direc¬ 
tor  of  technology  for  Tekmark  Global  Ser¬ 
vice’s  technology  risk  management  practice. 
First,  pull  together  a  response  team  that 
broadly  represents  the  entire  organization— 
HR,  legal,  media  relations— and  build  a  phone 
list  to  make  alerting  the  necessary  people 

Gene  Fredriksen,  VP  of  information 
security  at  Raymond  James  Financial,  says  that 
when  companies  started  getting  hit  regularly  by 
hackers,  CSOs  finally  realized  that  “incident 
response  is  not  optional.” 


more  efficient.  Then,  create  an  incident 
reporting  form— a  checklist  of  sorts— to  help 
document  the  incident  and  track  costs  along 
the  way.  Next,  build  a  flow  chart  detailing  the 
process  that  the  team  should  follow  during 
an  incident  (see  chart,  Page  56).  And  finally, 
map  out  a  post-incident  review  process  to 
ensure  continuous  improvement  with  your 
overall  plan.  Each  part  will  play  an  important 
role  in  helping  you  deal  with  incidents  before, 
during  and  after  they  occur. 

Go  Team 

Incident  response  teams  go  by  different  names 
in  different  companies:  Some  call  it  the  IRT; 
others  use  the  acronym  CIRT  or  CSIRT,  for 
computer  security  incident  response  team. 
Whatever  you  call  it,  the  group  is  pretty  much 
your  version  of  a  SWAT  team,  called  into 
action  when  a  computer  incident  occurs. 

Because  every  incident  (and  its  potential 
effect  on  your  systems)  has  its  own  particular 
traits  and  required  responses,  it’s  important  to 
first  get  a  grasp  of  the  kind  of  incident¬ 
handling  expertise  your  network  staff  and 


others  on  the  team  already  have,  says  Walt 
Foultz,  director  of  IT  security  for  Farmers 
Insurance  Group.  “Incident  response  is  not 
only  a  security  activity,”  he  says.  “All  sources 
of  qualified  and  competent  assistance  must 
be  assessed  so  you  can  be  sure,  collectively, 
that  you  have  the  skills  to  handle  the  job.” 

During  the  early  stages  of  creating  an  inci¬ 
dent  response  program,  Foultz  suggests  sur¬ 
veying  your  potential  team  members  to  scope 
out  the  depth  of  their  incident  response  skills 
and  technical  knowledge.  Find  out  if  anyone 
has  a  specialty,  such  as  dealing  with  network 
probes  or  e-mail  viruses.  Foultz  gives  his  own 
staff  verbal  pop  quizzes  to  make  sure  they 
know  their  stuff.  “One  technique  I  use  is  to  set 
up  hypothetical  situations,  and  they  have  to 
tell  me  what  they’d  do,”  he  says.  He  also  makes 
sure  every  staff  member  allocates  a  percentage 
of  her  regular  work  time  to  learn  about  the  lat¬ 
est  cyberincident  trends  and  security  tech¬ 
nologies.  “We  do  that  with  individual  training 
and  by  disseminating  internal  research  to  the 
team  through  management  and  scheduled 
awareness  sessions,”  he  says. 


52  www.csoonline.com  May  2003 


PHOTO  BY  PRESTON  MACK 


CSO  Perspectives" 


Today’s  security  executives  meet  at  the  CSO  Perspectives  Conference 

BUILDING  A 
CULTURE  OF 


Building  a  culture  of  security  involves  much  more 
than  laying  out  the  policies,  procedures  and 
processes  that  employees,  contractors  and  business 
partners  should  follow.  It’s  about  how  you  effectively 
communicate  the  need— how  you  answer  the  ques¬ 
tion  “why”— to  the  myriad  of  security  measures  that 
must  necessarily  be  in  place  in  your  organization  to 
ensure  the  safety  of  your  people,  your  physical 
assets  and  your  information  assets.  It’s  about  mak¬ 
ing  sure  everyone  understands  the  risks  and  is 
willing  to  face  up  to  the  challenges. 

CSO  Perspectives  is  the  landmark  event  for  security 
and  IT  executives  that  helps  you  confront  these 
challenges  by  bringing  together  industry,  govern¬ 
ment  and  academic  experts  who’ve  dealt  with  the 
issues,  debated  the  policies,  and  navigated  the  maze 
of  security  considerations  that  impact  you  on  a  daily 
basis.  You’ll  exchange  best  practices  with  your  peers 
and  take  home  lessons  learned  from  their  experi¬ 
ences.  What’s  more,  you’ll  have  ample  time  to  net¬ 
work,  share  ideas  and  expand  your  contacts  during 
our  golf  tournament,  networking  lunches,  receptions 
and  other  activities. 

Call  800-366-0246  or  register  at 
www.csoperspectives.com 


June  17-19,  2003 
Hotel  del  Coronado 
Coronado,  California 


TUESDAY,  JUNE  17 

3:00  pm— 5:00  pm 

Registration 

11:30  am— 5:00  pm 

Golf  Tournament 

6:30  pm— 8:30  pm 

Registration,  Welcome  Reception 
&  Special  Presentation 

WEDNESDAY,  JUNE  18 

7:00  am— 8:00  am 

Networking  Breakfast 


The  Resource  for 
Security  Executives 


V 

BRAGD0N 


8:00  am— 8:20  am 

Welcome 

LEW  MCCREARY,  Editor  in  Chief, 
CSO  Magazine 

BOB  BRAGDON,  Publisher,  CSO 
Magazine 

JONATHAN  ZITTRAIN,  Confer¬ 
ence  Moderator  and  Cofounder, 
The  Berkman  Center  for  Internet 
&  Society,  Harvard  Law  School 

8:20  am— 9:20  am 

America’s  Place 
in  a  Global  Society 
WESLEY  K.  CLARK,  Former 
NATO  Supreme  Allied  Comman¬ 
der  &  CNN  Military  Analyst, 
author  of  Waging  Modern  War 


As  American  business  is  I 
increasingly  sustained 
by  the  global  market, 
international  political 
and  military  strategy 
occupy  a  role  of  vital 
significance.  Clark  has 
been  on  the  front  lines  of  the  world’s 
emerging  markets,  intimately  aware  of 
the  political  strategy  and  psychology 
that  dictate  corporate  bottom  lines. 

He  applies  his  experience  and  skills  in 
strategic  leadership,  high  technology, 
training  and  organizational  develop¬ 
ment  to  the  challenges  facing  us 
today. 

9:20  am— 10:20  am 

Creating  a  Culture  of  Security 
ROBERT  LITTLEJOHN, 

Vice  President  of  Global  Security, 
Avon 

Security  is  an  integral  piece  of  the 
business  process— it  doesn’t  function 
alone.  It  is  essential  that  all  domestic 
and  international  employees  under¬ 
stand  exactly  what  to  do  in  situations 
that  involve  both  physical  and  cyber 
security.  To  build  a  culture  of  security 
the  chief  security  officer  must  take  on 
a  strategic  role  in  the  organization, 
emphasize  leadership  and  communi¬ 
cation,  and  develop  the  policies  and 
plans  that  protect  the  company’s 
people  and  other  assets. 

10:20  am— 11:00  am 

Coffee  Break  and 
Sponsor  Exhibits 

11:00  am— 12:15  pm 

Sponsor  Briefings 


12:15  pm— 1:45  pm 

Networking  Lunch 

2:00  pm— 2:30  pm 

Special  Session 

2:30  pm— 3:30  pm 

Governance  and 
Policy  Management 
Moderator:  DEREK 
SLATER,  Executive 
Editor,  CSO  Maga¬ 
zine 

Participants: 

BILLSPERNOW, 

C/SO,  Georgia 
Student  Finance 
Commission 
Security  governance 
issues  are  a  particu¬ 
larly  thorny  topic,  as 
more  executives  and  boards  of 
directors  understand  their  responsi¬ 
bility  and  accountability  in  informa¬ 
tion  security  governance.  They  will 
be  challenged  to  prove  they  are 
managing  aspects  of  security  to  a 
level  that  will  satisfy  business 
partners,  customers  and  stakehold¬ 
ers— and  that  will  minimize  poten¬ 
tial  litigation.  A  blue-ribbon  panel 
discusses  governance  issues,  who 
makes  the  policies,  what  they  look 
like,  how  they  get  made  and  how  you 
enforce  them. 

3:30  pm— 4:30  pm 
Developing  an  Effective  Frame¬ 
work  for  Risk  Assessment 
DENNIS  TREECE,  CSO, 
Massachusetts  Port  Authority 
Security  is  really  about  reducing 
risk  to  acceptable  levels  as  deter¬ 
mined  by  you  and  your  leadership. 
Saying  that  is  easy;  getting  there 
isn’t.  While  most  business  leaders 
can  identify  “bad"  and  “good” 
outcomes,  few  can  comfortably 
rank-order  a  list  of  100  “bads”  and 
“goods”  that  will  help  you  deter¬ 
mine  next  year's  security  budget 
and  this  year’s  emergency  alloca¬ 
tion  of  resources.  Without  some 
outside  agency  like  the  government 
or  your  insurance  carrier  imposing 
some  standards  on  your  business,  it 
falls  to  you  to  sort  this  out  yourself. 
To  do  this  you  need  to  develop  a 
systematic  approach  that  overlays  a 
process  standard  for  risk  evaluation 
that  will  earn  the  respect  of  your 
CFO,  CEO  and  your  underwriter. 

This  begins  with  analyzing  your 
many  "threats,  ”  “vulnerabilites,” 
“consequences"  and  “countermea¬ 
sures”  both  individually  and  as  they 
relate  to  each  other.  If  the  threat 
isn’t  large  but  the  consequences  are 
massive,  you’ve  got  one  kind  of 


problem;  if  the  consequences  are 
small  but  the  threat  is  large,  you 
have  another  kind.  The  approach, 
tools  and  analytics  are  applicable  to 
any  kind  of  risk,  both  physical  and 
cyber. 

4:30  pm— 5:30  pm 

The  Peer-to-Peer  Networking 
Reception 


THURSDAY,  JUNE  19 

7:00  am— 8:00  am 

Breakfast  &  Informal 
Discussion  Roundtables 


8:00  am— 9:15  am 

What  Every  CSO  Should  Know 
About  Intellectual  Property 

Moderator:  JONATHAN 
ZITTRAIN 


Panelists:  MELISE 
R.  BLAKESLEE, 

Partner, 

McDermott,  Will  & 
Emery 
JOHN  P. 
PONTRELLI, 
Global  Security 
Director,  W.L.  Gore 
&  Associates 
LYNN  MATTICE, 
Director  of  Global 
Security,  Boston 
Scientific 


More  organizations  are  realizingthe 
potential  threats  of  not  safeguard¬ 
ing  their  own  intellectual  property, 
and  of  the  possible  liability  of  mis¬ 
using  others'  property,  even  unin¬ 
tentionally  or  unknowingly.  Many 
are  seriously  weighing  the  risks  of 
not  implementing  digital  rights 
management  (DRM)  technologies. 
Our  panel  explores  recent  trends  in 
intellectual  property  issues  and 
litigation,  and  discusses  the  impact 
on  businesses  of  all  types. 


9:15  am— 10:30  am 


Evaluating  New  Technologies 


MODERATOR: 

CHRIS 

LINDQUIST, 

Technology  Editor, 
CSO  Magazine 
BOBDEGAN, 
Senior  Vice 
President,  Corpo¬ 
rate  Security, 

First  Data  Corp. 
COLONEL 
THADDEUS  A. 
DMUCHOWSKI, 
Director  of  the 


Information  Assurance  Direc¬ 


torate,  Department  of  the  Army 


DAVID  MACLEOD, 

Ph.D.,  CISSP, 

CPHIMS,  Director 
of  Security,  The 
Regence  Group 
JEFFWACKER, 

EDS  Fellow,  vice 
President  &  CTO, 

EDS 

It’s  been  frequently 
said  that  security  is  a 
business  problem, 
not  a  technology 
problem.  However, 
technology  does  play  a  crucial  role 
in  your  ability  to  provide  both 
physical  and  cyber  security.  Our 
expert  panelists  talk  about  what 
technologies  they  see  in  the  near 
term  that  will  have  the  most  impact 
on  the  CSO  and  CISO.  What  will 
work,  what  won’t— what  you  should 
be  afraid  of,  and  why. 

10:30  am— 11:00  am 

Coffee  Break  &  Sponsor  Exhibits 

11:15  am— 12:25  pm 

Sponsor  Briefings 

12:25  pm— 2:00  pm 

Networking  Lunch 

2:15  pm— 3:30  pm 

DrillDown  Breakout  Sessions 


zation  up  for  some  nasty  surprises 
(not  to  mention  nastier  lawsuits). 
What’s  legal,  what's  ethical— what’s 
the  difference  and  who  decides? 
What  role  does  the  corporate 
culture  play  in  ensuring  thatall 
employees  consistently  adhere  to 
policies?  Our  panelists— along  with 
audience  participants— explore 
various  scenarios. 

5:00  pm— 5:15  pm 

Closing  Summary 
JONATHAN  ZITTRAIN 

5:15  pm— 6:00  pm 

Networking  Reception 

7:15  pm— 9:30  pm 
Black  Tie  Dinner  & 

Entertainment 
JIMMY  TINGLE, 

Social/political 
Commentator  & 

Humorist 
Tingle  is  regarded  as 
one  of  the  top  social  and  political 
commentators  and  humorists  in  the 
country,  uncovering  the  absurdities 
of  modern  life  with  an  irreverent  and 
incisive  wit.  After  two  days  of  hard 
work  and  serious  presentations, 
who  among  us  can’t  use  a  good 
laugh? 


These  sessions  are  designed  to  give 
conference  attendees  the  opportu¬ 
nity  to  work  and  network  in  smaller 
groups,  and  discuss  specific  topics 
and  issues  in  greater  detail. 

3:45  pm— 5:00  pm 

Ethics  and  Privacy 
in  Action: 

A  Scenario  Panel 

Moderator: 

JONATHAN 
ZITTRAIN 
Panelists: 

DEBORAH 
WEINSTEIN,  Labor 
&  Employment  Law 
Attorney,  Eckert 
Seamans  Cherin  & 

Mellott,  LLC. 

CHRISTOPHER 
HOOFNAGLE, 

Deputy  Counsel, 

Electronic  Privacy 
Information  Center 
TERRY LENZNER, 

Chairman,  Inves¬ 
tigative  Group 
International 

DOUGLAS  MILLER,  Executive 
Director  of  Privacy,  America 
Online 

An  action  or  policy  may  very  well  be 
legal— but  if  it  isn’t  ethical,  you  may 
be  setting  yourself  and  your  organi- 


Presentation  of  the 

CSO  Magazine  Compass  Awards 

BOB  BRAGDON  & 

LEW  MCCREARY 

CSO  Magazine  is  pleased  tonight 
to  honor  several  individuals  whose 
leadership,  innovative  thinking  and 
dedicated  effort  have  advanced 
security  awareness,  policies, 
technologies  and  practices  for  the 
betterment  of  the  field. 

9:30  pm— 11:00  pm 

SPECIAL  DESSERT 
RECEPTION 


CSO  Perspectives  is  proudly 
underwritten  by 


Microsoft 


Associate  sponsors: 


CLEARSWIFT’ 

Managing  and  securing 
electronic  communications 


o 


digitalPersona 


CSO  Perspectives 


Today’s  security  executives  meet  at  the 
CSO  Perspectives  Conference 


June  17-19, 2003 
Hotel  del  Coronado 
Coronado,  California 


BUILDING  A 
CULTURE  OF 
SECURITY 

As  an  executive  responsible  for  securing  and 
protecting  an  organization’s  information 
assets  and  infrastructure,  you  are  constantly 
searching  for  how  to  better  define  your  mission 
and  responsibilities  within  the  enterprise. 

You  need  a  forum  in  which  you  can  address 
your  own  unique  set  of  business-level 
challenges— and  network  with  your  peers. 


The  Resource  for 
Security  Executives 


CSO  Perspectives  meets  those  needs 

with  an  educational  and  networking  con¬ 
ference  just  for  you— chief  security  officers 
(CSOs)  and  senior  technology  decision¬ 
makers  (CIOs).  At  CSO  Perspectives,  you’ll 
gain  firsthand  knowledge  from  industry 
experts  and  your  peers  that  can  enhance 
your  organization’s  security  strategy. 

You’ll  have  the  opportunity  to: 

•  Exchange  best  practices  in  balancing 
risk  and  responsibility 

•  Learn  from  your  peers  what  works  in 
the  real  world 

•  Explore  creating  a  culture  of  security 

•  Understand  the  current  thinking  on 
key  issues  and  trends 

•  Uncover  the  hidden  threats  of  legal 
liability 

•  Examine  emerging  technologies  that 
will  impact  your  enterprise 

Visit  us  at  www.csoperspectives.com 

or  call  800  366-0246. 


Thursday 

Evening: 

Jimmy  Tingle. 

Social/political 
Commentator  & 
Humorist 


Opening 
Keynote: 
Wesley  Clark, 

Former  NATO 
Supreme  Allied 
Commander  & 
CNN  Military 
Analyst 


Conference 
Moderator: 
Jonathan 
Zittrain,  Co¬ 
director,  The 
Berkmart  Cenl 
for  Internet  & 
Society,  Harva 
Law  School 


CSO  Perspectives  is  proudly  underwritten  by 

Microsoft 


Walt  Foultz,  director  of  IT  security  for  Farmers  Insurance  Group,  knows  that  incident  response  isn’t  just 
a  job  for  security.  Assess  everyone,  he  advises,  “so  you  can  be  sure,  collectively,  that  you  have  the  skills 
to  handle  the  job.” 


How  your  team  is  structured  depends  on 
the  skills  and  available  resources  within  your 
company.  Large  companies  often  have  re¬ 
sponse  teams  staffed  with  people  dedicated 
solely  to  handling  incidents,  while  smaller 
companies  often  create  a  team  consisting  of  a 
core  group  of  people  from  several  IT  and  busi¬ 
ness  departments  who  get  tapped  if  some¬ 
thing  happens. 

George  Wade,  Lucent  Technologies’ 
regional  security  manager  for  North  Amer¬ 
ica,  recommends  casting  a  wide  net  when 
choosing  your  incident  response  team.  The 
ideal  team  should  include  members  of  your  IT 
security  team  who  know  the  company’s  net¬ 
works,  applications  and  systems  inside  and 
out.  Don’t  forget  to  include  representatives 
from  other  departments  in  the  company.  Not 
all  CSOs  will  include  people  from  media  rela¬ 
tions  on  their  response  teams,  Wade  says.  “But 
if  someone  defaces  your  corporate  website 
and  reporters  suddenly  start  calling,  you’ll 
understand  very  quickly  how  important  it  is  to 
have  a  company  spokesperson  informed  and 
involved,”  he  explains. 

Some  companies  decide  to  involve  their 
disaster  recovery  or  business  continuity 
departments  in  their  response  teams— the  rea¬ 
son  is  that  other  voices  often  prove  helpful 


when  things  really  go  wrong  and  systems  need 
to  be  shut  down  completely. 

The  team  also  needs  a  certain  degree  of 
flexibility.  “Response  teams  shouldn’t  be 
static,”  Wade  says.  “They  can  be  added  to  or 
subtracted  from  at  any  time  if  you  decide  that 
something  needs  to  change.” 

Once  the  team  is  in  place,  you’ll  need  to  cre¬ 
ate  a  contact  list— a  staple  of  any  response 
plan,  says  van  Wyk.  “If  you  overlook  creating 
one,  you  do  so  at  your  peril,”  he  says.  It’s  essen¬ 
tially  a  phone  tree,  including  emergency  phone, 
pager  and  e-mail  information  for  members  of 
your  incident  response  team.  The  list  should 
also  include  contact  information  for  outside 
authorities,  such  as  local  and  state  police,  the 
FBI,  CERT  and  any  third-party  provider  that 
your  company  may  rely  on  for  backup  assis¬ 
tance.  Contacting  the  authorities  won’t  be  nec¬ 
essary  for  every  incident,  but  it’s  good  to  have 
the  information  at  your  fingertips. 

For  continuity  purposes,  list  contacts 
according  to  job  function,  authority  and  skill 
set  rather  than  by  name.  That  way,  if  someone 
leaves  the  company,  you  won’t  have  to  rework 
the  entire  list.  It  also  means  that  there’s  a  clear 
reporting  structure  in  place:  When  an  incident 
occurs  at  3  a.m.,  for  instance,  and  the  system 
administrator  sleeps  through  his  pager  alarm, 


What  does  a  security 
incident  cost  your 
company? 

Determining  the  cost  of  a  breach 
can  be  difficult— it  often  depends 
on  the  type  of  event  that  occurred 
and  what  damage,  if  any,  the  prolonged 
exposure  added.  We’ve  found  that  few 
CSOs  are  willing  to  buck  up  and  disclose 
how  much  a  security  breach  cost  them. 

Part  of  the  reason  for  their  reticence  is 
that  they  can't  tell  you  how  much  it  cost— 
their  incident  response  plans  are  either 
nonexistent  or  they  lack  the  means  to 
track  how  much  the  incident  cost  in  terms 
of  lost  productivity,  systems  downtime, 
staff  overtime  and  estimated  damage  to 
the  company’s  reputation  (see  “It’s  Not 
Easy  Being  Breached”  at  www.csoonline 
.com/printlinks).  Then,  when  incidents  do 
occur,  no  one  has  the  wherewithal  to  sit 
down  and  take  notes  to  determine  how 
many  hours  it  took  to  stave  off  a  hack, 
how  many  pizzas  were  ordered  for  people 
working  until  4  a.m.,  and  how  many  hours 
of  downtime  the  systems  suffered. 

Creating  a  method  of  tracking  the 
events  and  effects  of  a  cyberattack  at  the 
time  it  occurs  is  both  simple  and  smart. 

By  making  incident  documentation  a  part 
of  your  response  plan,  you  avoid  trying  to 
recount  the  incident  and  estimate  its  cost 
after  the  fact. 

Here  are  the  basic  questions  to  ask 
when  evaluating  an  incident: 

■  What  happened? 

■  How  did  it  happen? 

■  When  were  you  aware  of  the  incident? 

■  What  is  the  damage? 

■  What  systems  have  been  affected? 

■  Are  they  working  normally  now? 

■  Which  employees  are  affected? 

■  Who  else  is  aware  of  the  problem? 

■  What  is  the  suspected  attack  method? 

■  What  information  is  compromised? 

■  Is  it  sensitive? 

Those  questions  and  their  answers 
should  be  recorded  as  part  of  an  incident 
reporting  form,  a  scorecard  of  sorts  to  keep 
track  of  events  and  help  you  document  any 
damage  or  costs  to  your  company. 

-S.K. 


54  www.csoonline.com  May  2003 


PHOTO  BY  MARK  ROBERT  HALPER 


SKI?' 


C;.  ' 

’  '  "  '$■ 


S' 

::>;S  ., 


■  N  ...  ?  ; 

'• 

?v  ■ 

. 

'■■  '  ?  -■■'■  •  ■?  ' 

■  ' 

•  ■  •»'• : 

.  »  ,• 

■  ■■ 

-•••..  .  .•!  •.•••.  ...  '•••  :  *L> 

. 

.  ’ 

.  ^  1  ••••;•  •  . 


■ 


Some  information  assets  on  your  network  are  more  valuable  than  others.  So  how  can  you  protect 
your  most  important  assets  from  the  most  critical  threats?  Introducing  Foundstone  Enterprise™  — 
the  first  enterprise-level  software  solution  that  reaches  into  every  corner  of  your  network  to 
discover  all  your  assets,  identify  potential  threats  and  vulnerabilities,  and  decisively  eliminate  them. 
Foundstone  software  and  solutions  are  already  protecting  the  mission-critical  assets  of  many  of  the 
world's  leading  enterprises  and  government  agencies.  Find  out  how  to  get  the  most  formidable 
protection  for  a  finite  budget.  Call  1-877-91-FOUND.  Or  go  to  www.foundstone.com/cso1 


Software  Services  Education 


Foundstone 

STRATEGIC  SECURITY 


Cyberincident  Response 


the  team  member  who  discovers  the  incident 
can  quickly  alert  the  next  person  in  the  chain 
of  command. 

Go  with  the  Flow 

Once  your  team  is  in  place,  you  should  create 
a  diagram  that  spells  out,  step-by-step,  what 
each  part  of  the  security  organization  needs  to 
do  when  a  breach  occurs.  And  while  the  inci¬ 
dent  process  needs  to  be  flexible  in  order  to 
handle  various  kinds  of  attacks,  Silverstone 
says,  you  won’t  want  to  leave  any  of  the  steps 
in  the  diagram  to  interpretation.  “Be  precise. 
Everyone  should  know  who  to  call  and  what  to 
do  in  every  type  of  situation,”  Silverstone  says. 
“If  you  leave  it  open-ended  and  someone 
makes  the  wrong  decision,  you’ll  leave  your 
organization  open  to  liability.” 

Once  you  determine  that  you  have  a  gen¬ 
uine  incident  on  your  hands,  you  and  your 
designated  team  members  can  formulate  a 
response  strategy.  Is  the  incident  major  or 
minor?  Does  it  threaten  vital  business  func¬ 
tions?  Do  you  want  to  contain  the  incident 
and  maintain  business  continuity,  or  do  you 
want  to  allow  the  incident  to  unfold  so  that 
you  can  gather  forensic  evidence  for  an  inves¬ 
tigation  further  down  the  road?  Should  you 
contact  outside  agencies  yet?  Is  it  necessary  to 
communicate  with  the  general  employee  pop¬ 
ulation?  The  answers  to  such  questions  will 
help  the  process  move  along  more  quickly  and 
predictably,  saving  precious  time  and  money, 
minimizing  damage  and  maintaining  busi¬ 
ness  continuity  for  your  company. 

Consider  making  a  team  member  the  des¬ 
ignated  note-taker  so  that  when  a  crisis  hits, 
there’s  no  confusion  about  who’s  capturing 
all  the  important  information. 

It  Ain’t  Over  Til  It’s  Over 

Finally,  after  every  incident,  CSOs  need  to 
lead  their  incident  response  teams  in  a  post¬ 
mortem  review  process  that  examines  how 
well  the  incident  team  dealt  with  the  attack. 
Did  team  members  follow  the  response  dia¬ 
gram?  Did  staff  members  handle  the  incident 
calmly?  Did  everyone  on  the  contact  list 
respond  promptly?  Should  the  contact  infor¬ 
mation  be  updated  or  changed  in  any  way? 
And,  finally,  do  you  need  to  add  anyone  to  the 
team  or  adjust  the  procedures? 

“If  you  don’t  learn  from  what  you’ve  just 


Make  a  plan 
that  shows  each 
part  ofyour  security 
organization  what 
to  do  when  a 
cyberbreach  occurs 

- »  PRE-INCIDENT  PREP 

_ I _ 


INCIDENT  DETECTION 


I 

NOTIFY  SYSTEMS 
ADMINISTRATOR 

I 

INITIATE  INVESTIGATION 


NO  IS  IT 

-  REALLY  AN 

INCIDENT? 


YES 

ACTIVATE  TEAM 

I 

CONTINUE  INVESTIGATION 


REALLY  AN 
INCIDENT? 


YES 

FORMULATE  STRATEGY 

I 

CONTACT  OUTSIDE 
AGENCIES  (IF  NECESSARY) 

I 

■  COLLECT  EVIDENCE 

■  PRESERVE  LOG  FILES 

■  INITIATE  FORENSIC 
DUPLICATION 

«  MONITOR  SYSTEM 

■  APPLY  SECURITY 
MEASURES 

■  ISOLATE  AND  CONTAIN 
THE  SYSTEM 

I 

RETURN  THE  SYSTEM  TO 
NORMAL  OPERATION 

I 

IDENTIFY  AND  IMPLEMENT 
LESSONS  LEARNED 

I 

DEVELOP  AND 
COMMUNICATE  FINDINGS 

SOURCE:  RON  WOERNER.  NEBRASKA  DEPT.  OF  ROADS 


experienced,  you  open  yourself  up  to  more 
attacks,”  says  Raymond  James  Financial’s 
Fredriksen.  The  review  is  your  chance  to 
improve  the  plan  and  the  team  so  that  you 
can  work  out  any  kinks  before  the  next  inci¬ 
dent  strikes.  Fredriksen  recommends  doing  a 
risk  analysis  after  every  incident  to  make  sure 
as  many  vulnerabilities  as  possible  are 
secured. 

After  the  review,  you  will  find  it  useful  to 
complete  an  incident  report  for  your  records. 
Among  other  details,  the  report  should 
include  all  the  information  you’ve  gathered 

about  the  incident, 

r  DOCUMENTING  both  durinS  the  re‘ 

INCIDENT  sponse  process  and 

in  the  postmortem. 
That  way,  if  you  decide  to  pursue  an  investi¬ 
gation,  you’ll  have  all  the  evidence  on  hand. 

Remember  that  the  steps  to  a  clear, 
planned  response  are  not  complicated.  Once 
you  are  sure  that  an  incident  has  actually  hap¬ 
pened,  determine  whether  it’s  a  major  or 
minor  event. 

Decide  whether  your  priority  is  to  pursue 
an  investigation  and  allow  the  incident  to  play 
out,  or  to  shut  down  the  problem  as  quickly  as 
possible. 

And  finally,  work  to  defend  against  further 
attacks.  Take  a  look  at  the  way  in  which  the 
attack  happened  and  determine  if  an  appli¬ 
cation  needs  to  be  patched  or  a  port  reconfig¬ 
ured.  Take  whatever  action  is  necessary  to 
prevent  the  attack  from  happening  again.  And 
be  sure  to  let  everyone  on  the  response  team 
know  that  the  problem  is  fixed. 

IT  threats  may  be  coming  faster  and  faster. 
But  by  having  a  clearly  defined  response 
process,  you  can  prevent  attacks  from  devas¬ 
tating  your  systems.  “Plans  are  not  a  panacea,” 
Reuters’  Macartney  says.  “But  if  you  use  them 
strategically,  you  can  limit  your  exposure  to 
risk.”  ■ 

Staff  Writer  Simone  Kaplan  can  be  reached  via  e-mail 
at  skaplan@cxo.com. 


Visit  CSOonline's  archives  to  take  a  look  at  how 
USAA,  one  of  the  largest  insurance  companies 
in  the  nation,  responds  to  a  business  continuity 
crisis.  Read  PRACTICE  MAKES  PERFECT,  from 
the  November  2002  issue.  To  read  the  article, 
go  to  www.csoonline.com/printlinks 


56  www.csoonline.com  May  2003 


Powerful 


IT  Training  & 
Certification 


CISSP®ln  7  Days 


Computer  Forensics  In  3  Days 


Professional  Hacking  In  7  Days 


Security+/TICSA  In  6  Days 


Check  Point  In  6  Days 


CCSP®  In  12  Days 


■ 


ISSA  Memheis  1  • 

Receive  10%  off  all  Classes  T 

. ...  Mm 

Locations  in:  Ft.  Lauderdale.  FL  |  New  York  Metro  |  Columbus,  OH  |  San  Diego, 

INTENSE  SCHOOL  -  8211  W.  BROWARD  BLVD  FORT  LAUDERDALE,  FL  33324  Ph.8||l^|&^ ^Wn .  \  n  t e  n  S  e S  C  h  0 0 1 .  C  0  m 


Not  with  us  it  isn't. 


We  see  management 
a  little  differently 
from  the  other  guys. 


At  NetlQ,  we  don't  see  a  problem.  Only  solutions. 
Managing  your  Windows  server  environment  is  easier 
than  ever  with  Microsoft  Operations  Manager.  And, 
as  a  key  Microsoft  partner,  NetlQ  extends  Microsoft 
Operations  Manager  to  manage  and  secure  your 
entire  enterprise,  whether  you're  driving  UNIX, 
NetWare,  Linux,  Windows. ..or  all  of  them.  NetlQ. 
We're  the  management  people.  And  nobody  does 
management  smarter.  Nobody. 

CIO  eBook!  Get  your  free  copy  of  From  Chaos  to  Control: 
The  CIO's  Executive  Guide  to  Managing  and  Securing 
the  Enterprise,  www.netiq.com/manageability 


net© 

Work  Smarter, 


©Copyright  2003  NetlQ  Corporation.  All  rights  reserved. NetlQ  and  the  NetlQ  logo  are  registered  trademarks  of  the  NetlQ  Corporation. 
All  other  names  and  products  mentioned  herein  may  be  the  registered  trademarks  of  their  respective  companies. 


Technologies,  Tools 
and  Tactics 


Can  Catch 
More  Spies  with  Honey 

Honeypots  and  honeynets  can  take  the  sting  out  of  hacker  attacks  By  Simson  Garfinkel 


IRED  OF  DEFENDING  against  bad 
guys?  Instead,  go  on  the  offensive.  At  least 
that’s  the  idea  behind  so-called  honeypots— 
computer  systems  that  are  designed  to  lure 
evildoers  and  then  record  their  every  move. 

Think  of  honeypots  as  intelligence  collec¬ 
tion  systems.  Many  hackers  engage  in  routine 
scans  of  the  Internet’s  address  space,  looking 
for  poorly  defended  computers.  A  honeypot 
is  a  deliberately  vulnerable  target  that  invites 
penetration  while  fully  instrumented.  So 
after  a  hacker  penetrates  it,  you  can  learn 


how  it  was  done,  keeping  you  current  with 
the  latest  attacks  and  exploits  against  your 
company’s  servers.  You  can  also  collect  the 
types  of  hacker  tools  they  use  and,  by  eaves¬ 
dropping  on  their  communications,  map  out 
their  social  networks. 

Setting  up  a  honeypot  isn’t  hard;  all  you 
need  is  a  computer  running  an  unpatched 
copy  of  Microsoft  Windows  or  Red  Hat 
Linux  on  your  external  Internet.  Since  hack¬ 
ers  are  likely  to  booby-trap  the  computer’s 
logging  and  auditing  capabilities,  you'll  want 


to  station  a  network-monitoring  system 
between  the  box  and  your  Internet  connec¬ 
tion  so  that  all  the  traffic  in  or  out  of  the  box 
is  silently  recorded.  Then  just  sit  back  and 
wait  for  the  inevitable  attack. 

Running  a  honeypot  is  not  without  its 
risks,  however.  That’s  because  the  over¬ 
whelming  number  of  compromised  systems 
are  used  for  attacking  other  systems.  If  you 
ignore  a  vulnerable  system,  you  may  be  liable 
if  hackers  use  your  system  to  break  into  oth¬ 
ers.  It’s  called  downstream  liability,  and  it 


ILLUSTRATION  BY  ANASTASIA  VASILAKIS 


May  2003  www.csoonline.com  59 


brings  us  to  the  topic  of  honeynets. 

A  honeynet  is  a  honeypot  with  added 
technology  that  properly  records  the 
hacker’s  actions  while  simultaneously 
minimizing  or  eliminating  the  risks  to 
others  on  the  Internet.  An  example  is  a 
honeypot  that’s  set  up  behind  a  back¬ 
ward  firewall;  instead  of  preventing 
incoming  connections,  the  firewall  pre¬ 
vents  the  honeypot  from  initiating  out¬ 
bound  connections.  Still,  while  that 
approach  makes  the  honeypot  incapable 
of  damaging  other  systems,  it  also  makes 
it  pretty  easy  for  bad  guys  to  spot.  Real¬ 
izing  they’ve  broken  into  a  presumably 
booby-trapped  system,  the  typical  hacker 
is  likely  to  wipe  the  disk  clean  and  never 
return  (which  is  not  tremendously  in¬ 
formative  for  the  honeypot  watchers). 

For  the  past  four  years,  Lance  Spitzer 
and  the  others  at  the  Honeynet  Project 
have  been  working  to  create,  deploy,  man¬ 
age  and  analyze  the  results  of  honeynets. 
Their  technology  is  clever,  but  their 
results  incredibly  disturbing.  To  solve  the 
problem  of  downstream  liability,  Spitzer 
and  his  team  developed  a  range  of  data 
control  techniques— for  example,  an 
adaptive  firewall  rule  that  allows  five  or  10 
outgoing  connections  every  hour:  That’s 
high  enough  to  prevent  an  attacker  from 
getting  suspicious,  but  low  enough  to  pre¬ 
vent  serious  damage  to  third-party  sys¬ 
tems.  These  rules  can  be  implemented  on 
commercial  firewall  systems  like  those 
from  Check  Point  Software  Technologies 
or  on  firewalls  built  from  Linux  and 
OpenBSD  systems.  Of  course,  no  data 
control  technique  is  perfect.  “The  more 
you  allow  a  blackhat  to  do  outbound,  the 
more  you  can  learn,  but  the  greater  the 
risk,”  according  to  the  project’s  website. 

Data  capture  is  another  technical  chal¬ 
lenge  in  running  a  honeypot.  By  record¬ 
ing  every  packet  in  and  out  of  the  system, 
the  honeypot  watchers  can  get  a  good 
idea  of  what  the  bad  guys  are  doing.  The 
log  files  on  the  honeypot  itself  are  also  a 
good  data  source.  The  log  files  are  easily 
deleted  by  the  attacker,  so  it’s  common  to 
have  the  honeypot  send  a  copy  of  its  log 
to  a  remote  syslog  server  that’s  on  the 
same  network  but  is  better  defended.  (Be 
sure  to  watch  the  log  server  as  well.  If  it 


is  penetrated  by  your  attacker  using  a 
novel  attack,  then  your  honeypot  will  cer¬ 
tainly  have  shown  its  worth.) 

The  task  of  data  capture  has  been  con¬ 
siderably  complicated  in  recent  years  by 
the  increased  use  of  encryption  in  the 
blackhat  community.  Back  in  the  1990s, 
most  bad  guys  logged  in  to  their  compro¬ 
mised  systems  using  clear  text-protocols 
such  as  telnet  and  rsh.  Today  they’ve 
followed  the  advice  of  numerous  com¬ 
puter  security  professionals  and  have 
turned  to  cryptographic  protocols  like  ssh 
to  make  their  communications  immune 
to  network  monitoring.  Honeynet’s 
response  to  encryption  is  to  modify  the 
target  computer’s  operating  system  so 
that  all  keystrokes,  transferred  files  and 
other  information  are  logged  to  yet 
another  monitoring  system.  Because  the 
attacker  might  discover  such  logs,  the 
project  uses  steganographic  techniques— 
hiding  keystrokes  inside  NetBIOS  broad¬ 
cast  packets,  for  example.  It’s  a  clever  idea. 
(Unfortunately,  it’s  only  a  matter  of  time 
before  the  bad  guys  adapt  those  tech¬ 
niques  to  their  own  nefarious  ends.) 

One  of  the  nice  things  about  hon¬ 
eypot  systems  is  that  they  do  a  great 
job  at  data  reduction.  With  a  typical 
website  or  mail  server,  attacks  are  usu-  t 
ally  drowned  out  by  the  legitimate  traf¬ 
fic.  Adding  an  intrusion  detection  system 
rarely  helps  because  of  the  tendency  of 
these  systems  to  generate  false  alarms. 
Honeypots,  on  the  other  hand,  have  little 
or  no  legitimate  traffic.  Most  of  the  data 
in  or  out  is,  by  definition,  an  attack.  As  a 
result,  it  is  much  easier  to  look  at  the 
data  and  find  out  what  the  attacker  actu¬ 
ally  did. 

Since  its  formation  in  1999,  the  Hon¬ 
eynet  Project  has  gathered  a  tremendous 
amount  of  information  that  you  can  find 
at  www.honeynet.org  or  in  Spitzer’s  2002 
book,  Honeypots:  Tracking  Hackers. 
Some  of  the  findings:  The  incidence  of 
attack  has  doubled  in  the  past  year; 
attackers  are  increasingly  using  auto¬ 
mated  point-and-shoot  tools  with  plug¬ 
gable  exploits  (making  tools  easy  to 
update  as  new  vulnerabilities  are  discov¬ 
ered);  and,  despite  their  bravado,  few 
hackers  use  novel  attacks. 


Sensitive  Sorts 

Air-born  pathogens,  industrial  toxins,  sickness  in 
cattle-all  can  be  spotted  by  current  chemical  and 
biological  detection  technologies. 

Labs  on  a  chip,  or  LOCs,  are  sensors  the  size  of  an 
aspirin  that  detect  both  chemical  and  biological 
agents.  The  military  has  used  this  technology  for  more 
than  a  decade,  but  it  has  been  continually  improved- 
and  miniaturized.  Most  detectors  now  in  use  gather 
and  test  air  samples  automatically.  Some  systems  can 
detect  pathogens  in  20  minutes  by  immersing  the  DNA 
of  suspicious  substances  in  a  chemical  bath  designed 
to  identify  a  specific  agent.  That  technique  is  called 
PCR,  or  polymerase  chain  reaction.  Other  detection 
products  use  infrared  technology  or  ion  mobility  spec¬ 
trometry,  which  identifies  chemicals  based  on  how 
quickly  they  move  in  an  electric  field. 

Idaho  Technology  ( www.idahotech.com/rapid )  manu¬ 
factures  RAPID,  the  Ruggedized  Advanced  Pathogen 
Identification  Device— a  $50,000  detection  unit  that 
fits  in  a  briefcase.  RAPID  was  introduced  in  1998  and 
has  been  purchased  by  the  U.S.  Customs  Service,  the 
Department  of  Agriculture  and  all  mili¬ 
tary  service  branches,  as  well  as  a 
dozen  foreign  governments.  Given 
world  events,  demand  is  on 
the  uptick  from  both  pri¬ 
vate  companies  and  govern¬ 
ment  agencies  such  as  the 
U.S.  Postal  Inspection  Service, 
according  to  Idaho  Technology. 

RAPID  is  also  the  name  of  a  product  from  Bruker 
Daltonics  ( www.brukerdaltonics.com ),  which  offers 
mobile  sensors.  This  large  RAPID  unit  that  can  sense 
chemical  agent  clouds  at  a  great  distance,  using 
infrared  technology.  The  company  also  has  a  line  of 
handheld  and  other  short-range  scanners  dubbed 
the  RAID  series,  based  on  ion  mobility  spectrometry. 
Scanners  of  this  sort  continuously  test  the  air  in  major 
cities’  subways  for  chemical  warfare  agents  as  well 
as  the  most  common  industrial  toxins. 

Cepheid  ( www.cepheid.com )  has  developed  a  DNA- 
based  pathogen  detector  system  called  GeneXpert. 
Prototypes  of  the  system  are  under  evaluation  at  the 
Centers  for  Disease  Control  and  Prevention.  A  hand¬ 
held  pathogen  scanner,  roughly  the  size  of  a  tablet 
PC,  is  scheduled  to  be  on  the  market  in  a  few  months. 

-Kathleen  Carr 


60  www.csoonline.com  May  2003 


SYMPOSIUM  AND 


AUGUST  17-19,  2003  •  THE  BROADMOOR  •  COLORADO  SPRINGS,  CO 


Leadership  and 
Innovation  for 


The 

Resourceful 

Enterprise 


Organizations  that  figure  out  how  to  generate 
greater  value  with  more  limited  IT  resources  thrive 
whatever  the  state  of  the  economy.  They  demon¬ 
strate  leadership,  innovation— and  resourcefulness. 
This  year,  CIO  magazine  honors  100  organizations 
that  have  successfully  done  more  with  less. 

Paul  Saffo,  Director  of  the  Institute  for  the  Future, 
joins  us  again  as  Symposium  moderator.  We’ll  have 
presentations  from  some  of  this  year’s  Award  hon- 
orees,  and  special  guests. 

Join  us  for  great  networking.  Take  away  ideas  you 
can  use  to  make  your  organization  more  resourceful. 

To  enroll,  call  800  355-0246  or  visit  our  website  at 
www.cio.com/conferences. 


v* 


Sponsored  by 


ACJUOM 


FUJITSU 


Legendary  Reliability" 


Ids 


o. 

net©. 

Work  Smarter. 


EhSAVVIS 

The  Network  that  Powers  Wall  Street" 


This  year's  CIO  100 
Awards  Ceremony  is 
proudly  underwritten  by 

PeopleSoft. 


Presented  by 


The  Resource  for 
Information  Executives 


VeriSign'  Security  Services  address  a  range  of 
today’s  business  concerns.  From  protecting 
your  network  and  applications  to  securing 
online  commerce  and  transactions.  So  now 
you  can  feel  as  confident  in  the  digital 
world  as  you  do  in  the  physical  one.  For 
more  information  visit  www.verii 


life 


thc.VonSign  logo,  and  Mhel.fr,adortinrks.  service  marks.  and  logos  aio  mgistoiod  at  tme^islored  Itadoniatks  ol  VeriSign  and  its  surisidianos  m  tho  United  States  and  .n  loioign  oonntnos 


You  trust  the  rivets  to  hold  the 
44,000-ton  steel  skeleton  together 


You  trust  the  skeleton  to  support 
three  miles  of  braided  cable. 


You  trust  the  cable  to  keep  you 
suspended  in  mid-air. 


Shouldn  t  you  feel  the  same 
way  about  the  security  of 
your  network  infrastructure? 


Machine  Shop 


Honeypots  are  primarily  a  research  tool, 
but  they  have  genuine  business  applica¬ 
tions  as  well.  Put  a  honeypot  on  an  IP 
address  adjacent  to  your  company’s  Web  or 
mail  server,  and  you’ll  get  an  idea  of  the 
attacks  to  which  it  is  subject.  But  don’t  give 
the  adjacent  machine  a  name  with  your 
domain  name  server— after  all,  most 
attacks  are  done  by  IP  address.  You’ll  get 
even  better  intelligence  if  the  honeypot  uses 
the  same  operating  system,  patch  level  and 
application  suite  as  the  machine  you’re  try¬ 
ing  to  protect.  In  fact,  make  it  an  exact  copy 


detect  any  changes  the  attacker  may  have 
performed  and,  when  necessary,  wipe  them 
out.  What’s  more,  virtual  systems  typically 
support  “suspend”  and  “resume”  function¬ 
alities,  allowing  you  to  freeze  a  compromised 
computer,  examine  the  attacker’s  processes, 
and  open  TCP/IP  connections  and  anything 
else  that’s  on  the  system. 

For  the  CSO  of  a  large  organization,  one 
of  the  best  reasons  to  run  a  honeynet  is  to 
detect  hostile  insiders.  Any  company  with 
more  than  a  few  hundred  employees  is 
bound  to  have  one  or  two  bad  apples 


With  a  honeypot,  you  constantly 
match  your  wits  against  the  bad  guys’. 

You  get  to  choose  the  battlefield,  but  your 
opponent  gets  to  choose  the  time  of  tne  battle. 


and  then  monitor  all  the  traffic  in  and  out 
of  this  honeypot  machine.  If  it  gets  com¬ 
promised,  you’ll  know  what  to  look  for  on 
your  production  machine. 

To  be  sure,  honeypots  and  honeynets  are 
not  “fire  and  forget”  security  appliances,  a 
point  that  Spitzer  repeatedly  stresses. 
According  to  the  Honeynet  Project,  it  typ¬ 
ically  takes  between  30  hours  and  40  hours 
of  analysis  to  really  understand  the  damage 
that  an  attacker  can  do  in  just  30  minutes. 
The  systems  also  require  diligent  mainte¬ 
nance  and  testing.  With  a  honeypot,  you 
constantly  match  your  wits  against  the  bad 
guys’.  You  get  to  choose  the  battlefield,  but 
your  opponent  gets  to  choose  the  time  of 
the  battle.  As  a  result,  you  must  stay  alert. 

One  of  the  most  exciting  things  happen¬ 
ing  in  the  world  of  honeypots  is  the  devel¬ 
opment  of  virtual  honeynets— whole 
networks  of  virtual  computers  running  on  a 
single  machine  using  a  “virtualized  com¬ 
puter”  system  like  VMware  or  User-Mode 
Linux.  A  virtualized  system  lets  you  run  a 
few  (typically  four  to  10)  virtual  computers 
on  a  single  host  system.  Virtual  honeynets 
dramatically  cut  costs,  machine  room  space 
and  honeypot  management  complexities. 
And  since  the  virtual  computer’s  “disks”  are 
actually  files  on  the  host  system,  it’s  easy  to 


behind  your  firewall  and  probing  for  inter¬ 
nal  weaknesses.  What  better  way  to  find 
them  than  with  inside  honeynets?  Cut  off 
from  the  outside  world  and  set  next  to 
systems  used  by  accounting  and  payroll, 
they’ll  tell  you  if  someone  is  exploring 
where  he  shouldn’t.  A  well-monitored 
system  might  even  point  you  back  to  the 
perpetrator. 

Ironically,  monitoring  your  honeypot 
has  its  own  legal  complications— for 
instance,  potential  violations  of  wiretap¬ 
ping  laws.  Although  there  is  currently  no 
case  law,  most  people  familiar  with  this 
area  of  the  law  believe  that  consent  banners 
are  the  way  to  go.  That  is,  give  every  hon¬ 
eypot  a  banner  that  says  “Anyone  using  this 
system  consents  to  having  their  activity 
monitored  and  disclosed  to  others,  includ¬ 
ing  law  enforcement.” 

Then,  to  keep  your  honeypots  from  stick¬ 
ing  out  like  a  sore  thumb,  every  other  com¬ 
puter  in  your  organization  should  have  a 
similar  banner.  But  you’ve  done  that 
already,  right?  ■ 

Simson  Garfinkel,  CISSP,  is  a  technology  writer  based  in 
the  Boston  area.  He  is  also  CTO  of  Sandstorm  Enter¬ 
prises,  an  information  warfare  software  company.  He 
can  be  reached  at  machineshopfo  cxo.com. 


Managed  Security  Services 
are  made  up  of  the  people, 
processes  and  technology 
necessary  to  best  secure  your 
infrastructure  for  your  business. 
By  actively  managing  the 
process,  we  take  on  the  com¬ 
plexity,  allowing  you  to  focus 
on  what’s  most  important 
building  your  business 


VeriSign9  Security  Services  include 

•  Authentication  Services 

•  Network  and  Security  Consulting 

•  Managed  Security  Services 

•  Payment  Services 

•  Secure  Enterprise  Application  Integration 


To  learn  more  about  our 
Managed  Security  Services, 
including  an  analysis  of  the  key 
trends  in  customer  adoption, 
download  “VeriSign’s  Foundation 
in  Managed  Security  Services”  at 

www.verisign.com/dm/mss 
Or  call  (650)  426-5310. 


triSigrr 

The  Value  of  Trust 


©  2003  VeriSign,  Inc.  All  rights  resen/ed.  VeriSign,  the  VeriSign  logo,  and  other 
trademarks,  service  marks,  and  logos  are  registered  or  unregistered  trademarks 
of  VeriSign  and  its  subsidiaries  in  trie  United  Sates  and  in.  foreign  coontros. 


May  2003  www.csoonline.com 


The  Positive  Value 
of  a  Power  Lunch 

As  your  company’s  security  executive,  are  you  at  the 
table  with  the  other  business  leaders?  By  Anonymous 


HAD  LUNCH  WITH  my  CEO  last  week.  Ninety-plus  minutes  of  talk  about 
international  business  development  strategies  and  the  risks  we’re  likely  to  face.  The 
conversation  included  some  heavy  discussion  about  the  trends  in  derogatory 
background  investigations  and  a  long  diatribe  on  why  our  distributed  IT  people 
hadn’t  installed  the  patches  that  caused  all  the  problems  earlier  in  the  week. 

He  really  hammered  on  the  need  to  press  our  business  unit  executives  on 
the  accountability  of  each  line  manager  for  managing  the  growing  risks 
around  security.  I  mentioned  to  him  that  there  were  a  few  colleagues 
who  saw  this  security  stuff  as  part  of  the  cost  of  doing  business,  and 
they  resisted  the  work  involved 
in  proactive  risk  assessment,  let 
alone  the  cost  of  the  fix.  “They 
think  it’s  my  problem,”  I  told 
my  boss. 

“Well,”  he  answered  crossly, 

“tell  me  who  has  that  sort  of 
attitude,  and  I’ll  make  damn 
sure  they  wonder  what  hap¬ 
pened  to  their  next  bonus.” 

Of  course,  I  really  didn’t 
intend  to  name  names.  It  was 
enough  that  I  had  affirmation 
we  were  on  the  same  page.  I  had 
all  I  needed  to  handle  any 
follow-up.  I  wouldn’t  even  have 
to  use  his  name  with  the  reluc¬ 
tant  executives.  They  were  be¬ 
coming  well  aware  that  I  had 
regular  access  to  the  CEO  and 
that  he  had  seriously  bought 
into  enterprise  security  as  a  core 
business  process.  Except  for  the 
new  guys  and  the  reluctant  few, 
they  all  understood  the  culture 
of  accountability  here. 

All  that  makes  my  job  a  lot  easier.  . 
makes  my  boss’s  job  easier  too. 

When  you  think  about  it,  business  success  is 


about  relevance.  And  relevance  is  about  access.  So  access 
is,  well,  what  it’s  all  about. 

As  a  CSO,  my  having  lunch  with  the  CEO  might  be 
seen  as  nothing  more  than  a  way  two  professionals  have 
evolved  a  relationship  of  trust.  But  the  access  it  affords  me 
also  demonstrates  a  willingness  of  the  CEO  to  under¬ 
stand  the  issues  of  exposure  and  to  engage  in  the  debate, 
find  consensus,  secure  the  resources  essential  to  success 
and  provide  the  currency  for  the  security  program  to 
monitor  conformance  with  core  security  policy.  That  fun¬ 
damental  connection  with  the  business  side  goes  a  long 
way  toward  ensuring  that  security  is  a  value-added 
enabler  in  the  larger  risk-management  strategy. 

Senior  management’s  understanding  and  buy-in  of  a 
comprehensive  security  strategy  is  more  than  a  reasonable 
expectation  these  days.  It’s  a  business  imperative.  Yet  is 
that  the  normal  state  of  affairs?  Are  CSOs  typically  well 
positioned  in  the  corporate  hierarchy?  Hardly.  I  know  I 
am  incredibly  fortunate  to  work  within  an  organization 
where  my  position  as  security  chief  is  an  estab¬ 
lished  part  of  the  senior  management  team 
and  the  scope  of  my  responsibilities 
encompasses  all  components  of  secu¬ 
rity.  Too  few  CSOs  are  really  in  a 
position  to  represent  the  whole  picture. 
Current  events  in  business  risk  man¬ 
agement  and  oversight  are  not  well 
served  by  this  limitation  in  respon¬ 
sibility. 

To  wit,  how  many  times  have  we 
seen  presentations  for  Influencing 
Management  or  Selling  the  Secu¬ 
rity  Program?  How  many  com¬ 
panies  call  meetings  on 
corporate  risk  manage¬ 
ment  and  never  think 
to  invite  the  CSO? 
How  many  senior  exec¬ 
utives  would  put  secu¬ 
rity  on  their  list  of  core 
business  processes? 
Where  is  accountability  for 
an  integrated  global  security 
strategy?  I  know  a  top  security 
manager  who  works  at  more  than 
one  organization 
and  has  never  met  the 
CEOs.  Too  many  of  our 
A  security  colleagues  are 
beginning  to  sound  like  Rod¬ 
ney  Dangerfield:  “I  get  no 
respect!”  Kinda  makes  you  wonder 
how  we  got  here. 


64  www.csoonline.com  May  2003 


ILLUSTRATION  BY  CHRIS  BUZELLI 


Is  Risk  the  Chicken  or  the  Egg? 

While  the  title  may  be  something  new,  the 
CSO  has  been  the  heart  of  things  risky  for 
many  corporations  for  a  long  time. 

Of  course,  many  employers  didn’t  need  an 
engraved  invitation  to  understand  the  rela¬ 
tionship  between  measurably  effective  secu¬ 
rity  and  profitability.  They  saw  the  types  of 
risk  that  could  put  their  companies  at  the 
upper-right-hand  corner  of  The  Wall  Street 
Journal  and  decided  to  do  something  about 
it.  Others  simply  thought  that  “doing  the 
right  thing”  was  the  only  way  of  doing  busi¬ 
ness.  Still  others  felt  a  special  bond  of  trust 
between  the  company  and  its  shareholders— 
imagine!  And,  if  all  else  failed,  you  could 
always  count  on  the  shareholders  that  simply 
found  failure  to  understand  risk  inexcusable. 

To  be  sure,  the  past  few  years  have  made 
asset  protection  programs  even  more  rele¬ 
vant  for  corporate  boardrooms.  But  even 
before  today’s  heightened  interest  in  secu¬ 
rity  there  were  plenty  of  alarms:  the  well- 
advertised  business  interruptions  from 
incrementally  insidious  viruses  and  cyberat¬ 


tacks.  The  incidents  of  workplace  violence. 
Phony  prehire  credentials  and  accomplish¬ 
ments  by  high-profile  executives.  The  advent 
of  the  U.S.  Sentencing  Commission’s  guide¬ 
lines  for  corporations  and  related  whistle¬ 
blower  protections.  (If  you  somehow  missed 
that,  there  was  a  congressional  reminder 
from  the  Sarbanes-Oxley  legislation  in  late 
2002.  Check  out  www.ussc.gov/newslett/ 
oct2002.pdf.) 

And  now  there’s  the  USA  Patriot  Act, 
which  lays  on  increased  responsibility  to 
“know  your  customer”  followed  by  increased 
regulatory  diligence  likely  to  be  followed  by 
other  antiterrorism  countermeasures.  That’s 
a  lot  to  worry  about.  Beyond  all  that  lies  the 
known  vulnerabilities  left  still  unattended, 
but  threatening  to  return  later  to  haunt  cor¬ 
porate  reputation. 


And  if  all  that’s  not  enough,  there’s  always 
the  reality  of  domestic  terrorism. 

Clearly,  someone  needs  to  be  paying  atten¬ 
tion  to  how  well  the  organization  defines  risk 
and  how  clearly  it  assigns  accountability  for 
managing  those  risks.  Today  more  than  ever, 
someone  must  have  a  360-degree  view  of 
security.  Someone— and  her  infrastructure- 
must  be  at  the  very  center  of  all  major  devel¬ 
opments.  And  that’s  where  the  CSO  comes 
in.  That’s  our  place  at  the  table.  That’s  the  key 
to  access. 

Getting  Religion 

Becoming  an  effective  CSO  means  becoming 
an  integral  component  of  the  corporate  gov¬ 
ernance  infrastructure.  If  security  is  valued  at 
our  organization— and  we  will  know  that  if 
we  are  at  the  table  with  top  management— 
we  are  already  counted  as  a  stakeholder  in 
governance. 

Once  there,  you  need  to  effectively  use 
your  “bully  pulpit”  to  influence  the  corpora¬ 
tion  on  the  full  range  of  risks  we  deal  with  on 
a  regular  basis.  Is  the  ethical  hygiene  and 


integrity  in  all  its  meaning  at  the  top  of  your 
message  list?  If  your  CEO  is  anything  like 
mine,  you  can  bet  he  wants  to  know  where 
your  company  or  its  key  people  are  poten¬ 
tially  putting  the  franchise  at  risk.  Reputa¬ 
tional  (and  personal)  risk  is  on  the  mind  of 
every  audit  committee  member  these  days,  so 
the  scope  of  review  on  risk  is  expanding. 

And  don’t  worry.  You  won’t  be  alone  in 
trying  to  figure  it  all  out.  CSOs,  CISOs,  audi¬ 
tors,  risk  managers,  legal  counsel,  HR  and 
other  governance  stakeholders  need  to  be 
part  of  an  increasingly  integrated  team  of 
business  partners  focusing  on  control  defi¬ 
ciencies  and  issues  of  corporate  integrity. 
Security  councils  or  risk  oversight  groups 
work  in  some  cultures,  and  some  prefer  to 
keep  it  off  the  record  (some  issues  do  need 
attorney-client  privilege  consideration).  I 


happen  to  favor  having  the  security'  program 
content  under  one  integrated  management 
accountability.  One  throat,  if  you  will. 

And  yet  with  all  of  the  talk  of  Enron  et  al. 
and  the  volumes  of  opinions  on  the  adequacy 
of  controls  or  the  quest  for  moral  high 
ground  it  is  still  difficult  for  some  CSOs  to  be 
included  as  one  of  the  parishioners,  never 
mind  one  of  the  preachers.  Some  enterprises, 
which  have  so  much  to  lose  for  so  many, 
choose  to  shoot  their  messengers  of  bad 
news.  Short-sighted  companies  limit  their 
understanding  of  risk  and  are  unwilling  to 
give  status  and  scope  of  responsibility  to  the 
individual  held  responsible  for  “protecting 
the  franchise.”  They’ve  yet  to  understand  the 
lessons  of  Enron  and  the  need  for  the  secu¬ 
rity  program  to  be  multifocused  and  highly 
connected. 

The  full-service  security  organization 
offers  top  management  and  the  audit  com¬ 
mittee  a  perspective  on  risk  that  cannot  be 
found  elsewhere.  The  ability  to  see  the  fail¬ 
ures  of  oversight,  care  and  custody,  mainte¬ 
nance  for  reliability,  preparedness,  and 
fundamental  managerial  accountability  for 
the  integrity  of  their  business  environments 
is  unique.  Moreover,  it  imposes  an  upward 
reporting  routine  that  invites  regular  access 
at  all  levels. 

The  post-Enron  regulatory  environment 
beefs  up  criminal  sanctions  for  corporate 
wrongdoing,  and  public  companies  may  be 
delisted.  With  those  implications  and  the 
regulatory  emphasis  on  independent  assess¬ 
ment  of  controls  and  the  accountability 
placed  on  CEOs  and  CFOs,  how  can  the 
CSO’s  role  in  the  maintenance  of  an  effective 
program  of  controls  be  overlooked?  Pay  me 
now  or  pay  me  later. 

There  are  many  models  that  may  be 
adopted  to  provide  assurance  that  the  various 
security  elements  are  linked  at  critical  points. 
It’s  not  about  who  owns  what.  It  is  about 
what  we  should  be  doing  to  ensure  that  our 
employers’  business  strategy  has  effectively 
integrated  the  safeguards  essential  to  enter¬ 
prise  protection  against  whatever  threats 
may  be  considered  of  higher  likelihood. 

Like  I  said,  pay  me  now  or  pay  me  later.  ■ 

This  column  is  written  anonymously  by  a  real  CSO.  For 
reader  feedback,  e-mail  us  at  csoundercover4cxo.com. 


Business  success  is  about  relevance. 
And  relevance  is  about  access.  So  access  is, 
well,  what  it’s  all  about. 


May  2003  www.csoonline.com  65 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


Sales  and 
Services 

CSO  Sales  Offices 

President  Walter  Manninen  •  508  935-4101 
Group  Publisher 
Gary  J.  Beach  •  508  935-4202 
Publisher  Bob  Bragdon  •  508  935-4443 
Executive  VP  Sales/Custom  Publishing 
Ellen  Romanow  •  508  935-4796 

East  Coast 

Eastern  Regional  Sales  Manager 
Paul  Reiss  •  508  935-4163 
Eastern  Regional  Account  Executive 
Kim  Forrest  •  508  935-4068 
Senior  Regional  Manager 
Kathy  Powers  •  973  244-4041 
Midwest 

Regional  Director 
Robert  E.  Sawdon  •  512  306-9801 
Regional  Sales  Manager 
Christopher  Nolan  •  847  441-5005 

West  Coast 

Western  Regional  Sales  Manager 
Mary  Sinclair  •  415  975-2691 
Senior  Regional  Manager 
Jane  Evans  •  415  975-2680 
Regional  Manager 
Ai  Collins -  415  975-2686 
Regional  Sales  Manager 
Chris  Bramel  •  949  475-5579 

List  Services 

List  Services  Director 

Kathryn  A.W.  Marston  •  508  935-4072 

List  Services  Account  Executive 

Stephanie  Roy  •  508  935-4151 

List  Services  Coordinator 

Kim  Cormican  •  508  935-4152 

Online  Services 

VP/Online  Sales 
Lisa  Brown  •  508  935-4470 
Online  Sales  Manager 
Michael  McPhee  •  508  935-4611 

Custom  Publishing 

Group  Director  Michael  Siggins 
Director  Mary  Gregory 
Director  of  Content  Development 
Tom  Field 

Project  Manager  Amy  Greenleaf 
Graphic  Designer  Chris  Brown 


Production 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Lee  Tuttle 
Senior  Production  Coordinator 
Lisa  Stevenson 

Executive  Programs 

Conference  Management  VP 

Cynthia  Mollus 

Marketing  Services  Director 

Shellie  Rapson  James 

Business  Development  VP  John  Amato 

Program  Operations  Manager  Brian  Fuce 

Marketing  Manager  Glede  Kabongo 

Marketing  Services  Coordinator 

Andrea  Slobogan 

Event  Development  Specialist 

Sandra  J.  Hughey 

Operations  Coordinator  Michael  Barbato 
Event  Planning  Manager  Amy  Turell 
Senior  Customer  Service  Coordinator 
Sarah  Yee 

Marketing 

Executive  VP/Marketing 
Cathy  O'Leary  Hayes 

VP/News  and  Information  Susan  Watson 
Media  Relations  Manager  Karen  Fogerty 
News  and  Information  Associate 
Lori  Piscatelli 

Marketing  Research  Director 
Bridget  Cammarata 
Marketing  Research  Manager 
Carolyn  Johnson 
Sr.  Marketing  Research  Analyst 
Dylan  DiGregorio 

Marketing  Comm.  Director  Sue  Yanovitch 
Sr.  MarCom  Development  Specialist 
Kari  Curto 

Marketing  Comm.  Associate 

Sarah  Crowley 

Circulation 

Senior  VP/Circulation  Carol  A.  Spach 
Circulation  Director  Faith  Marcello 
Subscription  Svcs.  Supervisor  Tina  Pescaro 

Reprint  Services 

For  article  reprints,  please  contact  Reprint 
Services  at  651  582-3800  or  e-mail 
csoreprints@reprintservices.com. 

For  further  sales  information,  visit 
www.csooniine.com/marketing/sales.htmi. 


CSO  Contact 
Information 

Editorial,  Advertising  and  Business  Offices 

492  Old  Connecticut  Path,  P.O.  Box  9208, 
Framingham,  MA  01701-9208, 

508  872-0080. 

Postal  Information 

CSO  (ISSN  1540-904X)  is  published 
monthly  by  CXO  Media  Inc.,  492  Old  Con¬ 
necticut  Path,  P.O.  Box  9208,  Framingham, 
MA  01701-9208.  Application  to  mail  at  Peri¬ 
odicals  postage  rate  is  pending  at  Framing¬ 
ham,  MA  01701,  and  at  additional  mailing 
offices.  Canadian  Publications  Mail  agree¬ 
ment  number  1902075.  CANADIAN  POST¬ 
MASTER:  Please  return  undeliverable  copy 
to  P.O.  Box  1632,  Windsor,  ON  N9A7C9. 

Permissions 

Copyright  2003  by  CXO  Media  Inc.  All  rights 
reserved.  Reproduction  of  material  appear¬ 
ing  in  CSO  is  forbidden  without  written  per¬ 
mission.  Send  all  requests  to  Permissions 
Department,  CSO,  492  Old  Connecticut 
Path,  P.O.  Box  9208,  Framingham,  MA 
01701-9208. 

Photocopy  Rights 

Permission  to  photocopy  for  internal  or  per¬ 
sonal  use  or  the  internal  or  personal  use  of 
specific  clients  is  granted  by  CSO  for  users 
through  the  Copyright  Clearance  Center, 
provided  that  the  base  fee  of  $3  per  copy 
of  the  article,  plus  $.50  per  page  is  paid 
directly  to  Copyright  Clearance  Center,  27 
Congress  Street,  Salem,  MA  01970.  Please 
specify:  ISSN  1540-904x.  Permission  to 
photocopy  does  not  extend  to  contributed 
articles  followed  by  this  symbol:  £. 

Subscriptions 

Address  inquiries  to  CSO,  P.O.  Box  3482, 
Northbrook,  IL  60065;  866  354-1125.  CSO 
is  free  to  qualified  information  executives. 

To  all  others  the  one-year  basic  rate  is  $90 
for  the  United  States  and  Canada,  $115  to 
foreign  countries  (payable  in  U.S.  funds 
only).  The  single  copy  price  is  $9.  Please 
allow  four  to  six  weeks  for  new  subscrip¬ 
tions  to  begin. 

Change  of  Address 

Please  go  to  www.omeda.com/custsrv/cso 
and  follow  the  online  instructions. 

Postmaster 

Send  change  of  address  to  CSO,  P.O.  Box 
3482,  Northbrook,  IL  60065.  Printed  in  the 
USA. 


Index  of 
Companies  and 
Advertisers 

Page  numbers  refer  to  the  first  page  of  the 
article(s)  in  which  the  company  has  a  sub¬ 
stantial  mention.  This  index  is  provided  as  a 
service  to  readers.  The  publisher  does  not 
assume  any  liability  for  errors  or  omissions. 


Company  Index 

Ayers/Saint/Gross  . 44 

Behnisch,  Behnisch  and  Partner  . 36 

Bruker  Daltonics  Inc . 58 

Cepheid  . 58 

Check  Point  Software  Technologies  Ltd.  .58 

Delta  Air  Lines  Inc . 13 

Dial  Corp.,  The  . 28 

Edaw  Inc . 44 

Farmers  Insurance  Group  . 50 

Fuld  &  Company  . 28 

Genzyme  Corp . 36 

Hewlett-Packard  Co . 28 

IBM  Corp . 13 

Idaho  Technology  Inc . 58 

Lee  &  Associates  . 44 

Lockheed  Martin  Corp . 13 

Lucent  Technologies  Inc . 50 

Microsoft  Corp . 58 

Motorola  Inc . 28 

Olin  Partnership  . 44 

Phoenix  Consulting  Group  Inc . 28 

Professional  Examination  Service  Inc.  . .  .13 

Prudential  Financial  Inc . 13 

R.J.  Heffernan  Associates  Inc.  . .  .' . 28 

Raymond  James  Financial  Inc . 50 

Red  Hat  Inc . 58 

Reuters  . 50 

Securities  Industry  Automation  Corp.  . .  .50 

Smiths  Detection  PLC  . 13 

StockPatrol.com  Inc . 13 

Technical  Insights  . 58 

Tekmark  Global  Service  . 50 

Turner  Construction  Co . 36 

VMware  Inc . 58 

Wolff  Clements  and  Associates  LTD  ...  .44 
Zeichner  Risk  Analytics  . 22 

Advertiser  Index 

Anixter  Inc . 9 

Authenex  Inc . 35 

CeBIT  America  . 12 

Check  Point  Software . 25 

Computer  Associates  Inti.  Inc . C4 

CXO  Media  Inc . 19,  53,  61,  67 

Foundstone  Inc . 55 

GuardedNet  . 11 

Guardsmark,  LLC  . C2 

Intense  School  . 57 

Internet  Security  Systems  . 7 

NetlQ  Corp . 58 

Psynapse  Technologies  . 17 

Robert  Half  Technology  . 5 

Sony  Electronics  Inc . 27 

Stonesoft  Corp . C3 

Symantec  Corp . 2 

Tripwire  Inc . 15 

Unisys  Corp . 20 

VanDyke  Software  . 23 

VeriSign  . 62,  63 


66  www.csoonline.com  May  2003 


CIO  ENTERPRISE 
VALUE  AWARDS' 


The  Resource  for 
Information  Executives 


As  an  executive  who  has  built  or  utilized  an  IT  system  that 
delivers  both  demonstrable  ROI  and  strategic  value  to  your 
organization,  you  deserve  recognition  and  praise. 

The  CIO  Enterprise  Value  Award  will  bring  you,  your  company 
and  your  IT  organization  the  industry  prestige  you  deserve. 


Download  the  application 
from  our  website  at 
www.cio.com/eva 
or  contact  Lynne  Rigolini 
at  (508)  935-4088. 

Deadline  for  entry: 

May  15,2003 


TIA+CRM  =  OMG! 


June  2005.  The  Total  Information 
Awareness  (TIA)  program,  led  by  John 
Poindexter,  has  suffered  major  public 
relations  catastrophes  during  its  ramp-up. 
To  ameliorate  bad  press,  the  feds  have 
approved  a  costly  upgrade  that  will  give 
TIA  a  customer-friendly  CRM  front  end  and 
enable  a  win-win  for  spooks  and  ordinary 
citizens  alike.  Following  are  early  examples 
of  customer  outreach  from  the  program, 
dubbed  MySurveillance.com. 

To:  Winston  Smith 

Prom:  TIA  Database  Monitoring  Zealots 
(TIA-DMZ) 

Re:  Your  Recent  Travel 
Mr.  Smith: 

We  note  that  you’ve  been  to  Ibiza 
within  the  past  month.  Part  of  Spain, 


yes?  As  you  know,  that’s  a  country 
friendly  to  U.S.  interests.  Good  for 
you  for  supporting  its  economy!  Were 
you  aware  that  it’s  the  off-season 
there?  And  that  locals  call  it  “uh- 
BEETH-a”?  We  note  you  had  the  paella  at 
Ugo’s  Cafe  Mandarina.  Can  you  get  it 
vegetarian? 

Best  regards  to  our  little  coalition 
builder ! 

John  Poindexter 
“Surveillance  for  Well-Being” 

To:  Julia  Green 

From:  TIA  Color  Codes:  Advisory  of 
Legal  Limitations  (TIA-CC:ALL) 

Re:  Re:  Upcoming  Travel 
Ms.  Green: 

In  response  to  your  query  on  why  you’re 


labeled  as  a  Red  Traveler,  meaning  we 
forbid  you  to  fly  from  your  home  in 
Blue  Ridge  to  Yellowstone  during  the 
current  Orange  Alert,  we’re  blushing 
scarlet  on  this  one.  You  were  initially 
rated  a  Green  Traveler.  But  your  last 
name  is  Green,  so  to  avoid  confusion, 
the  database  changed  you  to  a  Yellow 
Traveler.  But  since  you  were  traveling 
to  Yellowstone,  the  database  switched 
you  to  Red.  Not  to  worry;  we’ve  got  a 
fix:  We’ll  put  the  country  at  Blue 
Alert,  change  you  to  a  Green  Traveler 
for  your  trip  to  Yellowstone,  move  your 
home  address  to  Red  Rocks  and  switch 
your  last  name  to  Taupe. 

Sorry  for  any  inconvenience ! 

John  Poindexter 

“Making  Social  Progress  Through 

Monitoring” 

To:  Alex  Trebek 

From:  TIA  Francophobic  Unit  (TIA-FU) 
Re:  Last  Night’ s  Episode 
Mr.  Trebek: 

This  is  your  final  warning.  The 
inclusion  of  the  category  “From  Paris 
to  Cannes”  (or  as  you  put  it,  “from 
Pahhree  to  Can”)  during  Double  Jeopardy 
last  night  was  unacceptable.  Credible 
intelligence  also  reports  that  you 
deliberately  placed  an  Audio  Daily 
Double  in  this  category  Just  so  you 
could  play  Edith  Piaf  singing.  Cease 
and  desist  immediately.  In  lieu  of  such 
categories,  we  suggest  the  following: 
Great  Moments  In  Democracy,  Supply  Side 
Economics,  Patton!  or  Potent  Potables. 

Finally,  sources  also  tell  us  that 
tonight  you  plan  to  make  the  Final 
Jeopardy  category  “Touts  Choses 
Quebec”  and  that  you  plan  to  pronounce 
it  “KAY-beck”  instead  of  “kwa-BECK.” 
Reconsider,  or  face  the  consequences. 

Soft  cheese  is  for  sissies! 

John  Poindexter 

“Securing  Liberty  at  any  Price” 


68  www.csoonline.com  May  2003 


ILLUSTRATION  BY  ZACHARY  PULLEN 


Manage  Security 

Pol  ici6S  instead  of 

Security  Products 

StaneGate"  firewall  and  VPN  reduces  complexity  and  lowers 
your  structured  cost.  Manage  security,  not  technology. 


Security 


... 

mtm 


Enables  unified  firewall  and  VPN  security  from  laptops,  to  data  centers  and  mainframes. 


Centrally  manages  and  upgrades  local  and  remote  sites. 


.  g%:g 


Availability 


Reliably  connects  fault-tolerant  VPNs  and  firewalls  with  multiple  ISPs. 


The  cost  of  your  security  complexity  is  higher  than  you  think 


Contact  us  today  to  learn  how  to  remove  complexity  from  your  security. 
Visit  www.stonesoft.com  or  e-mail  at  info@stonesoft.com 
Attend  or  view  our  webinars  at  www.stonesoft.com/seminars 


STONESOFT 


Can  your  antivirus  software  provide  double  the  scanning  power?  Ours  can. 

Making  sure  your  company  is  secure  gets  more  and  more  difficult  every  day.  That's  why  eTrust™  Antivirus  v7 
from  Computer  Associates  uses  dual  scanning  engines  to  ensure  comprehensive  virus  protection.  It  processes 
data  in  real  time  to  search  out  and  eliminate  viruses,  and  it  also  scans  files  during  prescheduled  and 
off-peak  hours.  All  at  the  cost  of  most  single-engine  AV  products.  It's  more  than  just  twice  the  protection. 
It's  twice  the  peace  of  mind.  ca.com/etrust/antivirus 


eTrust™  Antivirus 


Computer  Associates® 


©2003  Computer  Associates  International,  Inc.  (CA).  All  rights  reserved.  eTrust  "  Antivirus  was  formerly  known  as  eTrust  "  Inoculate /T* 


